The code is something like this:

HttpClient httpClient = new DefaultHttpClient();
HttpPost httpPost = new HttpPost("http://site.com/url");

StringEntity requestEntity = new StringEntity("<?xml version=\"1.0\" encoding=\"windows-1251\"?>..."); // можно использовать ByteArrayEntity или InputStreamEntity если данные берутся из файла
requestEntity.setContentType("application/x-www-form-urlencoded");
httpPost.setEntity(requestEntity);
HttpResponse response = httpClient.execute(httpPost);

You answered your own question - the data is sent in the request body.
The fact that you are used to the fact that in it they usually go something like this:
foo=bar&foo1=bar1
does not mean that you cannot send without such formatting.
Keywords to search for: RAW POST, POSTDATA, etc.

You can get the content of the request, for example, via $HTTP_RAW_POST_DATA
BUT:
Your content of the POST request does not match
Content-Type: application/x-www-form-urlencoded
If you want to post exactly XML, then it should be
Content-Type: text/xml
If you want to post exactly as form data and access by field name, and not HTTP_RAW_POST_DATA, then encode them appropriately.

It's not entirely clear what key you're talking about?
First, you better then send the data via https. Then the transport will be secure. Without keys.
If you are talking about some kind of oAuth token or some other signature, then show the code that sends your post request. In the WNezRoS example , I don't think there will be any keys either, since I don't see anything being inserted for that...

If in php, then you can get this data in this way:

$request = file_get_contents('php://input');