Vince_
Cloudand allows you to setup a number of account types.
Role Description _reader Gives the user permission to read documents from the database. _writer Gives the user permission to create and modify documents in the database. _admin Gives the user all permissions, including setting permissions. _replicator Gives the user permission to replicate a database, including creating checkpoints. _db_updates Gives the user permission to use the global changes feed. _design Gives the user access to views and design documents. _shards Gives the user access to the /$DB/_shards endpoint. _security Gives the user access to the /$DB/_security endpoint, letting them change roles of users. _search_analyze Gives the user access to the /_search_analyze endpoint
Obviously you would not want to give your admin username and password away in your app.
Cloudant allows you to create an auth key and password (username/password) easily on the fly (from say a separate secure offline site that handles new accounts). Im planning on creating a separate api tokens per user so if one user goes nuts they can be deactivated.
You can also send a hashed version of your api keys instead of the unmasked versions.
Cloudant offers https at no extra cos (a level SSLlabs tested https://www.ssllabs.com/ssltest/ )
https://docs.cloudant.com/api.html#-api-reference
Securing (encrypting) your tokens is advisable and only allowing SSL. Worst case you can create separate databases (tables) per user and api tokens per user).
Cloudant also assist via Skype and have great support. They can scale up in minutes and allows you to float between shared and dedicated servers during peak app periods.