When it comes to Restful, the same mechanisms used in HTTP apply. On the other hand, although many web applications use cookies, it would be strange to use them in an API.
Thus, the most common is to use the header Authorization with its variations Basic, Digest or Bearer.
A very popular option is to use Oauth with Bearer (Bearer Token). The header looks something like this (it follows pseudo-code):
string token = "tokenRecebidoViaLoginOAuth..provavelmente_bem_longo";
string authHeader = "Bearer " + base64Encode(token);
request.headers["Authorization"] = authHeader;
If you choose to Basic you can either use your web server to verify credentials or implement it yourself. The format is as follows::
string credenciais = "nome-de-usuario:senha";
string authHeader = "Basic " + base64Encode(credenciais);
request.headers["Authorization"] = authHeader;
In both cases, use HTTPS to ensure this header travels safely.
These aren’t the only ways to do it, but I see them in many of the Restful Apis I use and almost all of the Restful Apis I’ve implemented as well. I would personally recommend Oauth, especially if you are thinking of making this API available for a commercial system.
A major exception among the Apis I use are the Amazon Apis (AWS). AWS uses a form of digital signature on each request.
As far as I know, stateless means it is not maintained state on the server; the customer may have been (and as pointed out by sergiopereira, that state may be - but not necessarily will be - in a cookie).
– mgibsonbr