What I would do is show a Web UI the first time (authenticating with Persona) and then exchange a secret token between the server and the client. You then include the token along with each request to the REST API.
That way you'd be using Persona for the initial authentication, then you'd be using a token-based system for authorization.