Talking about the best practice, consider the below scenario:
When dealing with authentication and securing your Web API I recommend you follow the guidelines set by Dominick Baier. There might be no better expert on ASP.NET identity management in the world.
You can find his blog at http://leastprivilege.com/ and a great Web API Identity package at Nuget, Thinktecture.IdentityModel - http://nuget.org/packages/Thinktecture.IdentityModel As with most of the good open source libraries, since all the functionality is available for your for free, there is no need to reinvent the wheel.
This is a top-to-bottom identity & access control library for .NET 4.0/WIF and .NET 4.5 (including support for MVC and Web API).
If you want to learn more about securing your Web API, you should also watch this video http://vimeo.com/43603474 - Dominick's talk from NDC Oslo 2012.