Cross Domain API authentication

Hi, I need to expose a JSON webservice to another branch of the company, they will manage their own users table in a public web app while my app is only accesible when a different set of users are inside our office's LAN. The plan so far is that they will consume the webservice using AJAX requests and I should return JSON but I don't know how to authenticate without exposing the credentials in the HTML source code. The basic workflow would be:

1. User X logs in other branch web app (I don't have control over this process)
2. User X clicks a button and other branch's server makes a request to my server
3. My server fetches the data and returns JSON
4. other server populates a dropdow (or something like that)

I've read a few tutorials about APIs but all of them talk about adding a token field in the users table and that won't be my case. What would be a secure way to do it? Even when it´s inside our corporate LAN I wouldn't want to expose the web services without authentication