Storing SHA-256 of passwords is a bad idea. You should use either scrypt, bcrypt, or at the very least PBDKF2 (with a large number of rounds).
For a signed token round tripped to the client you should use an HMAC[1].
[1]: http://en.m.wikipedia.org/wiki/Hash-based_message_authentica...