This is my application structure. MVC web site and API is getting data from data layer. WEB API is giving json data as service. But I want to restrict some data access on WEB API.
I have a user authentication mechanism on MVC web site. But now should I create same mechanism on web api application? This is repeat myself.
I wonder how works these like systems. For example twitter or google like single login and work on web site and api. Or is there any way?
This is typically done using token based authentication. Your MVC application authenticates the user against a security token service (STS) that is associated with an identity provider (can be a social identity provider like Google or Facebook, or a service that has its own username/password database). The STS issues a security token for that user to use the application. The token is digitally signed, so it cannot be tampered with.
Now if the application wants to call the web service, it takes the token it has back to the STS and ask for a new token for the service. This token often comes in the form of a JWT token which you can stick in the Authorization HTTP header of the HTTP request to the Web API.
The service you're calling is configured to trust the tokens issued by the STS. It does this by verifying the token was issued by a STS it knows, the token was intended for that service and it within the valid time range, etc.
See also this question.
