I really like the concepts behind Hot Towel, and have viewed the course on Pluralsight a few times now to really get a good idea of what's going on.
One aspect of Hot Towel really eludes me - how can it be used for an application that demands different user roles? The topics of authentication and personalization aren't dealt with in the course, and don't seem to have any easy way to accomplish this with modifying the framework itself.
I had the same question when I first watched the Pluralsight courses and started working on my application which needs to perform Authentication and Authorization.
It seems the problem is not specific to Hot Towel Template but in general a problem when using Web API. A quick look at the ASP.NET overview for Web API provided much information (http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api). If you plug in your custom RoleProvider and ProfileProvider, that should allow you to re-use the Authorize() attribute.
Note that when working with REST & Web API, the API has to be stateless and hence no Session is present. I found articles providing workarounds for getting the Session[] variable active but decided against using it. You can use an object cache to achieve the same results.
If the Authorize() attribute doesn't cut it for you, you can write your own Authorization Filter. This SO question can provide more information (though it focuses on preventing Cross Site Request Forgery, the basic structure and how to use the filter is same when doing custom AuthZ).
Since Javascript code can be altered by the attacker on the browser end, relying on any protections provided in the application's JS is not sufficient and providing the protection on the Web API layer is mandatory. The authentication and authorization boils down to protecting the Web API and there are tons of information available for protecting external facing web services that can be adapted for your scenario.