There is a chance one user will unintentionally override someone else's changes if they update a record near the same time. One solution is to use optimistic locking. The updated_at column can also be used for this as shown.
There are many approaches to locking down an API. Here I start off with HTTP Basic authentication then move on to generating a unique token which can be passed through a URL parameter or HTTP header.
Here I describe each Rack middleware that is included in a Rails app which will give you a better understanding of what a request goes through behind the scenes before it hits your application.