The answer to that question definitely depends on the application. The Cloudant data model allows for read, write, and admin roles to be assigned to both users in the cloudant.com domain as well as generated API keys. For data consumption (e.g. read-only), it's straightforward to map those roles onto the application. For data creation, it of course becomes trickier. Approaches range from generating an API key per user to generating a cloudant.com account per user. However, you've highlighted the key question that is at the heart of all two-tier application stacks, from 'couch apps' to meteor.js, firebase, etc.
In addition to what Mike has said about how you set up auth currently the library will use basic auth with the browser dialog. There's a todo in the code to make this a load nicer, and I'd like to get that in the next release.
