This is a big question! But one thing worth considering is that securing ajax calls is quite a different beast from securing server-side API calls.
Ajax calls come from the browser, which must be considered to be in enemy hands. So you shouldn't ever hold any secret keys in the browser, which means the browser will need to cooperate with a server to obtain tokens. Also, if you want to support a browser making ajax calls to some web site other than the one that served up the page the Javascript lives within, you need to use CORS which adds a wee bit of complexity/funkiness.
Many people work around this by using a pattern where all ajax calls are not really secured by token but instead go straight back to the web site that served the page - and from there, the web site proxies them off to the actual destination server.
To put it another way, the ajax request is not secured via token at all (as a server request would be), but instead by cookie as a web page would be.
You can see this in action in Grafana for example. Grafana is a cool graphing tool built as a single page application. To populate the graphs, the Grafana javascript needs to perform queries against a database. To avoid auth problems, instead of the web page somehow doing this directly, it instead makes the calls to a proxy API
http://docs.grafana.org/reference/http_api/#data-source-proxy-calls on the grafana back end.
Back on the grafana server, this proxy API call is then shovelled straight on to the database without any actual processing. I'm not really sure how they've implemented it, but using nginx or such this could probably even be done without any need to buffer the request and response anywhere in the server code.
So tl;dr:
One thing you might consider is not to struggle with token (e.g. OAuth) based auth at all for your ajax calls - instead require them to be same origin and use the same auth you would use for secure web pages, i.e. cookies.
Then your server side auth can be more traditional stuff, i.e. OAuth, maybe using JWTs as tokens as discussed, etc.