I am making an API in NodeJS that 'll be used by a website and iPhone native app at the same time.
There is a chance that API URL will be exposed to user when used in javascript for website. I only want authorized access to the API. Don't want anyone call API via console. like user/delete/[user-id], anyone can use this URL to delete a user.
Check out http://passportjs.org/
There are plenty of authentication strategies to use. Don't reinvent the wheel here. ;)