If I understand correctly, you have
- 1 rails app with API
- 1 rails app that serves the front-end, and the 1st app actually serves as backend/database for this app
Correct?
In that case I would make sure
- use devise in the second (UI) app
- the authentication of the API is between two servers, and you could just use a simple/effective authentication-token
- the second server will protect the API from unauthorized access, since no client will ever see the url or authentication token (since it is server <-> server communication)