I have developed a single page app prototype that is using Backbone on the front end and going to consume from a thin RESTful API on the server for it's data.

Coming from heavy server side application development (php and python), I have really enjoyed the new different design approach with a thick client side MVC but am confused on how best to restrict the app to authenticated users who log in.

I prefer to have the app itself behind a login and would also like to implement other types of logins eventually (openid, fb connect, etc) in addition to the site's native login. I am unclear how this is done and have been searching - but unsuccessful in finding information that made it clear to me.

In the big picture, what is the current best practice for registering users and requiring them to login to use your single page app?

Once a user is logged in, how are the api requests authenticated? Can I store a session but how do I detect for this session in the API calls? Any answers to this would be much appreciated!