Cross-domain request with private key verification - which way?

Good day!
The theme has been discontinued. The solution was found.
The question is as follows:
Server = exemple.com
Site = site.com
Key = individual hash
There can be an unlimited number of sites, the resulting problem is the organization of a cross-domain request to verify the site key.
Example:
site.com/key.php - sends a request for a file located on the server, if the file exists, then you need to check if the site has access to the server ...
Binding Access-Control-Allow-Origin to domains is not a solution. ..
Tell me in which direction to move?
- - - - - - - -
Solution:
1. Settings:
exemple.com- access is open to everyone
2. Request:
site.com/key.php
- makes a cross-domain request for the required directive (say exemple.com/dev/login.php)
- if the response is positive and the file exists, we send a GET request (I chose cURL )
example: http://exemple.com/dev/login.php?key=[hash]&...[additional... parameters]
- then we compare the received hash with the base, perform the necessary manipulations, send the answer
further what is already heart will please.