Help with API security and ideology

[eluser]greg.thompson[/eluser]
Hi guys, let me first just give you an Idea of what I'm doing. I'm looking to create a application that users can log into and create events etc. But the most important part of it is an API that will allow these same users to submit information/registrations/payments to my application hosted elsewhere. The things I want to do are pretty darn basic but I'm having a damn hard time wrapping my head around the API and security.

I'm using Phil Sturgeon RestServer implementation and that part is working without any type of authentication but again where I struggle is how to really tighten up security. I really like the Oauth structure of private/public keys but I honestly can't wrap my head around it... maybe a lack of understanding. I'd want the user to create their application connection within the app itself and get all they're keys etc. from the app then use this information on their page, where they'll be accessing the API data.

so...
application site (www.application.com). User signs up, logs in, creates event and creates an API connection.
users site (www.myevent.com). User writes specific code to connect to said API and get event information or submit payment info for a user.

How in the API connection creation can I generate the user new keys and then how can I set it up so the user can use these keys to access my API securely. My primary concern in all of this is security.

I've looked into the Oauth library but it seems that it focuses on local usage and account creation etc.

Also, I've seen some libraries that just give one key and that's basically your connection. I assume this would be used in a curl call to interact with the API but this doesn't seem to secure.

I'm so damn lost. can anyone help?