I am trying to grasp some concepts here. I have implemented a series of REST services - works great. However once exposed to the world (which they need to be to support clients like iPhone, etc) how/where do I verify the user is allowed to do so?

I want only authenticated clients to access the REST services (most of the anyway - a few are public). Should I use an API-KEY approach? OAuth? How does the REST server/services know whether a client making the request is indeed who they say they are? I want client ABC using an iPhone to only be able to update/delete/add records to their account so the REST server would need some way of looking up the API-KEY and matching that with a user ID.

Experiences, ideas, opinions?

Cheers,
Alex