Dec 18, 2014 08:31 AM|BrockAllen|LINK
OAuth2 is the de facto standard approach for API security these days. To do it well, you should read the OAuth2 (and OpenID Connect) specs.
Also, I work on IdentityServer. I'd suggest reading the wiki on it:
If you have additional questions about it, feel free to post them to the github issue tracker.