Single page application authentication and authorization

This doesn’t quite answer your question, sorry, but this is how I handle it…

For security reasons, I don’t start my single page app unless the user is already logged in. That is, my splash screen is just a regular page, using Devise, and it does the standard POST when the user clicks the log in button. It is only when they are logged in do I download anything and fire up the ajax.

That just feels safer from anyone viewing the page source: you need to be trusted to see any interesting page source at all.