API Authentication for user logged in to a Web App server

Question

I am building a Web App and a separate API (so that users can share their collected data with someone if they want to) using Ruby on Rails. The users can log in on the web a

Answer 1

When you say Web app server and a separate API server, which needs to talk to each other every time there is an update from a user on your Web app server. All I can suggest you to break them down to 3 entities as rails engine.

1. Core: Which will hold all your Model and your data logic.
2. Application: Which will depend on your core engine and have client facing code, mostly controllers and views.
3. API: Which will again depend on your core engine and have processing logic, API controllers maybe.

Why Core? Because, when you need to update your business logic, it will be just one place: Core Engine.

Now to answer your question further on authenticating API call from your web app server. You need to:

1. Build the API - Rails Cast and Building Awesome Rails APIS from Collective Idea Blog.
2. Secure the API - Rails Cast and Looking for suggestions for building a secure REST API within Ruby on Rails.
3. I prefer OAuth for securing the API calls. For implementing OAuth2 in rails you can use doorkeeper.

Once you're done with securing API, you can implement the authentication logic in your Web application. You can use OAuth2 for authenticating your app from API.

Also, to make your API available only to OAuth calls using doorkeeper: https://doorkeeper-provider.herokuapp.com/#client-applications

P.S.: I prefer json response from the APIs, it's a preferred trend I'd say. ;)

EDIT- postman is a chrome extension for making experimental/fake APIs before you actually write them for your application. It's much faster because you'd know what you finally have to design at the end of the day.