What approaches can we use to cleanly provide access to both API clients and regular users in a Rails application?

We're building a Rails 3 web application that will need to authorize and authenticate regular users who visit the site. Those same users may also use third-party applications to access the site via our API.

What approaches can we use to effectively and cleanly provide access to clients as well as users? What strategies have you used in your own Rails applications that also have RESTful APIs?

Ideally, we're after a solution which:

• plays well wi开发者_开发知识库th Devise and CanCan (which we already use for authn/authz)
• plays well with Mongoid
• doesn't pollute our controllers
• is relatively simple to install and configure, if it's a gem or plugin
• is easily testable, if it's a general strategy; or is already tested, if it's a gem or plugin

Since you're already using Devise, take a look at the token_authenticatable strategy (Add it to your user model and make sure the devise init reflects whatever you call the token param).

You'll want to add: "before_save :ensure_authentication_token" to your user model as well (assuming you don't want it to be single use).

Just provide your user's with their tokens on say their profile page or wherever. Call it an API token if you like.