Just check how others do it, for example in this article: Authentication on Facebook .
The whole idea is that there is a separate API call that the client calls to authenticate to the system. The system can accept any client or only from the list of registered clients. As soon as the system checks the client, it issues a special token, which the client uses in all API calls. In the Facebook documentation, this is called an access token. If the client tries to call the API without a valid token, the system reports this as an error and in certain conditions can block the client.
In REST, the token can be sent simply as another parameter in the URL, in POST, or as an additional field directly in JSON. Sending it as a POST or in JSON is probably best since it keeps the URL clean (and will not encounter any caching based on the URLs).
It is the merit of the idea, but there are, as usual, more things to consider. For example, a token should be hard to guess, so the client cannot recreate a valid token without authentication using the system. In addition, the system may need to expire the token if the API is not called within a certain period of time.
To answer the last part of your question, some libraries indicate:
- erlang: phash2 or crypto library can be used to create unique tokens that are not easy to guess.
- Webmachine as a great REST framework or toolkit, as they like to call it, to create Erlang REST interfaces
- API call logic can be implemented in Erlang and served directly from a web server, for example. inets or yaws, or it can be implemented using a web structure such as Nitrogen or Chicago Boss. Check out this list of Erlang web frames .