The key is to use data that the client end couldn't know. You can probably rig something with an HMAC and the Disgest::SHA1 module. Or generate a random string and stuff it into a database so you can verify that it came from you, and then delete it once it has been used.