The important point, from a security perspective, is to exchange the user’s email and password for a token once, and then use that token for subsequent requests. This is because:
- You don’t want the client app to be responsible for holding onto the user’s password, where a bug or attack could cause it to be leaked; and
- A server-issued token gives you (and your users) the ability to expire a token if necessary, e.g. to lock out a stolen device or block a misbehaving API client.
There are many ways to accomplish this with varying levels of complexity.
Here is a tutorial that is very recent and has a thorough walkthrough for creating an API in Rails with token-based authentication (not using Devise, but still relevant to understand the concepts): https://labs.kollegorna.se/blog/2015/04/build-an-api-now/