How do you authenticate user generated "apps" for your app?

I'm think something like Facebook apps here. User generated pieces of code that people can write to interact with my app.

I understand how an authenticated API works, but this seems a little more complicated because not only does the APP have to authenticate itself (with a regular api-key) but the USER using the app has to be authenticated somehow too, without giving the app free reign.

I've been reading a bit here to see how FB does it: http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application

And it looks like you have to pass a signature in addition to the api-key along with every call, but I'm having trouble wrapping my head around how this gets generated and used on the other end (my server).

Figure there must be a simple explanation of this out there? Thanks!

P.S.开发者_StackOverflow I'm building a Rails app if there are any applicable gems/plugins.

This may be what I need:

http://github.com/phurni/authlogic_api

Did you have any success with authlogic_api? I'm working on the server-side for a Steam game, where users are logged in through Steam, so I'm only responding to REST calls from the client (no user login required). The rdocs for authlogic_api give some brief set-up info, but I'm struggling with what to do in the application_controller to restrict access; essentially the equivalent of this code from the authlogic example:

http://github.com/binarylogic/authlogic_example/blob/5819a13477797d758cb6871f475ed1c54bf8a3a7/app/controllers/application_controller.rb