I wouldn’t use cookies in a REST API. FormsAuthentication is a cookie-based method. Instead, the caller should provide authentication credentials with every request in a header, or as a request parameter.

For example, you could use Basic authentication to transmit user name and password, or add a custom authentication header with some encrypted access token (which is not very RESTful). You could also implement OAuth, where the requester will provide an access token with every request.

I’d write a custom AuthorizeAttribute to perform the authentication in your code, that gives you a lot of control. Alternatively, you can use a controller base class and override the OnAuthorization method.

The API should not provide a password challenge: In a web app, an unauthorized request will typically redirect the user to a login page. In an API, the request will simply return an error code. It is now the client application’s job to challenge the user through a dialog, if applicable. In a mobile app, you might want to show a dialog. In a web application with OAuth, you probably want to redirect to an authentication server.

If you want to test your REST API, I suggest you use REST Console for Google Chrome and cURL. The former is easier for beginners and comes with a nice GUI while cURL gives you even more fidelity and lots of protocols.

EDIT

A somewhat pedantic note: Some APIs, even those of fairly large providers, e.g. Twitter, return 401 status codes from time to time, typically omitting the (mandatory) WWW-Authenticate header because it was not their intention to challenge the client.