Private API in REST

In a app RESTful, all api's are public.

No they aren't.

How to leave a private API?

Authentication. Either use HTTP AUTH or an API key mechanism.


I'm trying to implement an authenticated API as well (similar to Highrise and other 37signals apps). We use restful_authenticated and wanted to make something that hooks into the standard username/ password system we have. HTTP AUTH seems to be the best option, but will something like OAuth work better? Or is OAuth something you add on top of HTTP AUTH for a REST API? If anyone has done this...