Thanks for the suggestion, but no I'm looking to Azure ACS for the token authorization.
I like to have it so that someone wanting to build a client application that accesses my API needs to get an ACS Service Identity. Then when a user uses this client they authorize through a popup page like you would with Facebook or Twitter, and then ACS
returns the AccessToken.
That bit I've got working...
the bit that is confusing me is how to setup the WebAPI to accept these tokens and reject invalid ones.