You cannot do this. If you just send a scrambled/hashed password in a single request, then it has the same value to an attacker as the plaintext password. They can just send the same scrambled value themselves to gain access.
Originally Posted by prigole
The only alternative is to use a protocol like SRP to authenticate.