I'm writing a web app (in flask) that has an API back end that the iOS app will communicate with. What is the best way to create, pass, and authenticate user tokens?
Look at flask-oauthprovider. It lets you secure views like this:
@provider.require_oauth()
def view_profile():
...
and handles token requests for you.