You can implement some sort of authentication. Devise could help with this, storing authentication information in the users session. Then in your controllers you can use something like before_filter :authenticate_user!
If your server is available over the open internet, you either need named user authentication (useful for other things besides auth, like tracking users) or run it as a public api not caring if users hit it (but then you need rate limiting to avoid unintentional ddos, adding another layer of complexity).