Any advance in this task ?
Are you planning to add authentication data at every call, thus modifying the parameters required by the WS calls, or having them in some session data, thus modifying every function implementation to check for these data ?
In any case, you would have to sent to WS login/password data in some sort of login/logout call .
How do you plan to support "ticket based authentication" such as CAS or Shiboleth ?
Since WS calls are going to be used by external developpers to sync their information systems with Moodle, you will have to provide them with an admin login/password access to be able to create/modify Moodle entities ; this could be a major security issue since they could use this access in standard Moodle interactive mode. One possible solution could be to have a "web service only" authentication plugin, maybe with IP addresses restriction ?