Hi Devendra and Carlos,
I think the main confusion here is that the OAuth playground (doc) is based on 3-legged OAuth, while the orkut REST documentation mainly describes how gadget servers can talk to the orkut server using 2-legged OAuth. I think we should be updating the guide to eliminate any confusion. Please refer to the OAuth documentation in full here, and then consider the following: 1. Yes, HMAC-SHA1 is good. I would use one of the OAuth libraries to get my OAuth signature (which is really just the encoded version of the OAuth shared secret that you got after gadget verification). I have no idea what exact signing technique they use unless I took a look at their code, but I can tell you that they are expected to follow the guidelines laid down here. 2. The oauth_token is a term specific to 3-legged OAuth (again, please follow the OAuth doc above), and that's why you don't find it mentioned in the guide. 3. The OAuth scope is used simply to limit which services your application has access to. It's not a website on its own. 4. That point in question is again specific to the gadget server-orkut server conversation, where "application" is a gadget that you install, which then authorises the gadget server to be able to pull your profile data. It seems your purpose would be better solved using the client library, which is not REST and which uses 3-legged OAuth. I believe at the moment we have a much fuller support for RPC than for REST. I hope that helps! Prashant -- You received this message because you are subscribed to the Google Groups "orkut Developer Forum" group. To post to this group, send email to opensocial-or...@googlegroups.com. To unsubscribe from this group, send email to opensocial-orkut+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/opensocial-orkut?hl=en.