Creating an API for one project at work, one of the tasks was to implement a token based authentication for some resources, but the client specifically requested not to have to handle cookies. Also, it was requested for the user to still have to login with it’s own login and password, rather than with a permanent token, like a permanent API key. The solution I implemented used the excellent authlogic capabilities with the single_access_token, although used slighlty differently from it’s original purpose.