leastprivilege.com
ASP.NET WebAPI Security 2: Identity Architecture
Pedro has beaten me to the punch with a detailed post (and diagram) about the WebAPI hosting architecture. So go read his post first, then come back so we can have a closer look at what that means …