Once they're authenticated, I generate a token and send it to them. They store it, and use that token from here on out (HTTPS only).
Perhaps I expire it after some time (hours or days, if I don't want my user to have to login all the time).
That's it? :D Seems like I'm missing something...