That's an interesting point, Chad. My basic assumption is that "normal" people don't know what the hell OAuth is. They're used to giving out passwords. If clicking a banner makes it work, they're happy.
I figured the 3rd party apps would already be using a Twitter password. So they aren't asking for a password to work with Tipjoy, but with their service. For example, an iphone twitter client could, say, turn off ads by making a Tipjoy payment. The Tipjoy account creation, payment, balance extraction, and other API calls would all just use the Twitter password already stored in the client. "It just works*" This is a bit different for applications that sell content, that might want to start selling over Twitter. if http://popcuts.com started using Tipjoy to sell mp3s over twitter, they would need to ask for the Twitter password just to use Tipjoy. Then this concern is valid. Either way, I hope to have the OAuth solution in place this week. No need to keep it a secret: we plan on allowing for a authorization_url param that is an OAuth signed call to http://twitter.com/account/verify_credentials.json We'd verify the call with Twitter, then proceed like we have a twitter password. This call won't work though, because we'd need to update the user's status http://tipjoy.com/api/#creating_twitter_payment We'll enable a work-around by posting the tweet, and calling that endpoint with an id of a tweet already posted. That should all work, right? Thanks! Ivan http://tipjoy.com *ymmv On Apr 8, 11:21 am, Chad Etzel <jazzyc...@gmail.com> wrote: > Hi Ivan, > > This looks quite interesting. I do have one concern, though. > > On the main tipjoy.com site, you have a prominent banner saying "click > here to sign up in 5 seconds without giving us your password." > ...which then leads to the OAuth sign-in. > > The Tipjoy API requires a twitter user/pass combo for authentication. > If I am User A who already has created an account on Tipjoy using > OAuth, and now I see another 3rd party application asking for my > twitter user/pass to interact with Tipjoy, I am going to be very > concerned that this other app is trying to scam me. > > I guess it just looks like a conflicting message to me. > > I know you said you are "hacking" something together for OAuth apps, > so maybe this concern is unnecessary, but wanted to give you that > feedback as a potential user of this system. > > As a developer, the API looks very interesting. I don't know how many > people would actually want to tie their twitter account to actual > money transactions, but I guess there's only one way to find out... > > Congrats on the API launch, > -Chad > > On Wed, Apr 8, 2009 at 10:57 AM, Ivan Kirigin <ivan.kiri...@gmail.com> wrote: > > >>>the recipient has enough to cash out to a PayPal account ... before the > >>>transaction is cancelled ... what happens? > > > We audit every cash out, so this step isn't fully automated. It's hard > > to "take the money and run" > > > Also, we track transactions across the site. As you can imagine with > > micropayments, any wholesale fraud would require lots of transactions > > or amounts much larger than the median to make any real money. This > > makes fraud detection easier. > > > If anyone sees any transactions that are faulty, they can let us know. > > We already actively block many IPs and domains because of link spam, > > and expect to do the same for fraudsters too. > > > Best, > > Ivan > >http://tipjoy.com > > > On Apr 8, 9:52 am, Dossy Shiobara <do...@panoptic.com> wrote: > >> Great, now Nigerian royalty can use Twitter to get their millions of > >> secret dollars out of their country, with the aid of Twitter users help! > >> (lol) > > >> Or, the first rogue Twitter app. that tweets a Tipjoy payment message > >> from the user who gives up their username/password to the rogue app. > >> It'd be a Tipjoy mugging! > > >> At least Tipjoy lets you cancel transactions that aren't paid for yet. > >> But, if you pre-charge your account, and the money is sent from the > >> account, and the recipient has enough to cash out to a PayPal account > >> ... before the transaction is cancelled ... what happens? > > >> Sounds so very dangerous. > > >> On 4/8/09 9:27 AM, Ivan wrote: > > >> > Hi Folks, > > >> > Tipjoy's Twitter Payments have been really successful for P2P and > >> > charitable payments. Now we've released an API for Twitter > >> > applications to do payments over Twitter: > >> >http://tipjoy.com/api > > >> -- > >> Dossy Shiobara | do...@panoptic.com |http://dossy.org/ > >> Panoptic Computer Network |http://panoptic.com/ > >> "He realized the fastest way to change is to laugh at your own > >> folly -- then you can let go and quickly move on." (p. 70)