Although this may seem like a solution it is almost always not -- in his service model, the sites that are paying for his services will almost never want to pass user:pass info to him for their customers. also a single user:pass does not bode well for security as third party subscribers would be able to use one of the "services" the site is offering after canceling there account. If you look at sites that do this often the 4 basic models used are:

Transperant proxy / SSI(all requests come from subscribing sites)
Referrer (auth is based on last url)
Temp user/ID per request (cgi on the services box grants a user/pass via cgi that allows user temporary access)
Domain level cookie (middle site creates a dns record for <service>.itsdomain.com that points to the subscribed service -- then creates a cookie in its domain for auth)


-Waswas