At the moment, Spray implements only the basic security mechanisms. It comes with HTTP basic authentication , and some cookie support.
It makes sense not to include more specific security implementations, because each project implements it differently. Although the Oauth implementation would be useful in many cases. There may be designs that provide this for Spray.
Token-based authentication sounds like a good general choice.