Have been going in circles on the docs here. Just a small  push in the right direction would be much appreciated. 

I'd like to make a flash-app, hosted on Myspace.

I have a server that is going to store some data (levels, experience etc.). So the flash app needs to make calls to my server. These calls will have a GET var with the user ID. 

Basic stuff. 

 Now, how does the server make sure that the user_ID is actually playing the game? Anybody can just alter the user_id in the server request. Is MySpaceID suitable for this? Should I just use oAuth? 

 Other API's I've used have been specifically for games (Kongregate) they give a user a token that is unique for that game. So USER_ID X authenticates with TOKEN y. 

You can use

1. MySpaceID (OpenID+OAuth api.myspace.com/openid) or

2. MySpaceID (OAuth only api.myspace.com/authorize) or

3. container.makeRequest() (OpenSocial)

These choices allow you to make oauth sign requests to the server. Both choice 1+2 have the access_token and signature you can use to verify. Choice #3 is best for checking if your opensocial app is making a request from myspace and is authentic by verifying the signature.

thanks,

Joel

 BTW here are the Opensocial docs on validating signed requests:

http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests

thanks,

Joel