I answered in the post above too - but ran out of space. As a disclaimer I work for 3scale (http://www.3scale.net) so you might want to parse my response based on that :).
The answer to your question really depends on what resources your API exposes and what you're aiming to track/limit. It sounds like most functions are tied to a user account of some kind, but could be implemented by 3rd parties.
In this case the most useful pattern is probably to have an identifier (public or secret) for each application which calls the API + also user credentials. The application identifier could be an APIKey or even just a name (e.g. "tweetdeck"). If you end up with a lot of third party applications then it is probably useful to track these identifiers (which implies a minimum a way to issue them) and know who built each app + have the ability to turn them off (if only to shut down those that abuse your user-base). You might also want to rate the limit the amount of traffic each user and app can generate on the API, so it's again useful to have an identifier.
Also, if your authenticating users, but allowing third parties to write the apps your users use, definitely consider oAuth (http://www.oauth.net) to avoid rogue code / sites capturing your user passwords.
You mention above that you're not keen on external services - no problem, 3scale works by actually doing all the API auth local to your systen (e.g. with one of the code plugins: https://support.3scale.net/libraries or in a proxy like Varnish: https://github.com/3scale/libvmod-3scale/) and then does tracking in the cloud. Obviously it doesn't fit all use cases, but can give you a bunch of useful tools out of the box.
