I'm think something like Facebook apps here. User generated pieces of code that people can write to interact with my app.

I understand how an authenticated API works, but this seems a little more complicated because not only does the APP have to authenticate itself (with a regular api-key) but the USER using the app has to be authenticated somehow too, without giving the app free reign.

I've been reading a bit here to see how FB does it: http://wiki.developers.facebook.com/index.php/How_Facebook_Authenticates_Your_Application

And it looks like you have to pass a signature in addition to the api-key along with every call, but I'm having trouble wrapping my head around how this gets generated and used on the other end (my server).

Figure there must be a simple explanation of this out there? Thanks!

P.S. I'm building a Rails app if there are any applicable gems/plugins.