The answer to your question depends on how much security you want. Using a auth token stored in the user table is a somewhat low level of security, like username/password. Over an https connection, it's fairly difficult for a casual attacker to get what they need, but if they do, it's vulnerable to replay attacks. Even if you implement a rolling key (change it often), there must be some way to communicate the new key to the client, which that same attacker could intercept. That said, if you want to pass the auth_token
in the header, you can retrieve it in your controller using something like this: request.headers[:auth_token]
.
HMAC is a considerably more secure method that prevents replay attacks by incorporating a shared secret between the client and server and a timeout for the signed request. See my answer to this question for more about HMAC and a Rails server with an iPhone client.