1) It really is up to you. I saw how this was done in a completely different way in the different APIs I worked with. Some keys are very similar to GUIDs, others are just random strings, but the important thing is that they are unique and not so easy to guess. How much you store it in the database, how much effort you put into protecting your data, really depends on the sensitivity level of user accounts. If the nature of the service you provide is very confidential and / or you can ultimately be audited, then you should use all the means necessary to protect the data (using a one-way hash and salting). My personal philosophy is to keep things as simple as possible until there is no reason to add extra complexity, but I worked on sites that used one-way hashing with salts for authentication.
2) It depends on who will use your service. You can use the built-in ASP.NET Forms Authentication Membership Provider and even integrate it with your public website, but this will limit the use of your API for developers using a platform that supports cookies on HttpProxies and make your API more difficult to follow. Most of the REST-ful services I've come across use a combination of basic authentication and SSL, which will provide the widest range of developer support, but will be more difficult to implement on your side. On the server side, you will have to grab the user credentials from the HTTP headers and authenticate them against your user database.