Any of those help Just check how others are doing this, for example in this article: Authentication on Facebook. In general the idea is that there is a separate API call that the client calls in order to authenticate itself to the system. The system may accept any client or only from a list of registered clients. Once the system verifies the client, it issues a special token that the client is then using in all API calls. In Facebook documentation it's called Access token. If the client tries to call an API without a valid token the system reports this as an error and in certain conditions may block the client.
Authentication and Authorization in single page applications
I wish did fix the issue. There is no difference between single and multi page applications in terms of authentication/authorization. If you are using Forms Authentication, Windows Authentication or yet another method of authentication/authorization, you still use it when moving to single page application architecture. In both cases, an application sends requests to the server to access resources. Multi page applications request pages. Single page applications request data from web services. Resources that need to be protected are protected, usually using built-in mechanisms.
Creating an API for mobile applications - Authentication and Authorization