Today we deployed code that implemented the changes that accompanied the update to the 1.0a OAuth specification. LuckyCal has a great article on the subtle differences that come with the update [1] so please peruse this article if you are getting 401 errors with your implementation.
Callbacks for non-desktop apps are now supported with these rules: - When making the call to request_token [4] (server-to-server), you can pass &oauth_callback=[url here] - The response from request_token will contain oauth_callback_confirmed=true to confirm we received it. - The user will be sent to twitter.com as usual - When the user is finished they will be redirected to the URL provided in the first step along with a new parameter, oauth_verifier [1] - The call to access_token [5] to exchange the request token for an access token MUST contain the oauth_verifier parameter as sent in the redirect. - If you want to use your pre-configured callback, then do not include a oauth_callback parameter. - If you want to force the PIN-based solution, send oauth_callback=oob with your request to oauth/authenticate Additionally, as a couple developers have already noticed, we deployed the code that implemented PINs for desktop apps originally mentioned by Matt. Please review the linked documentation [2] and discussion [5] and let us know what questions you have. If you find that your browser-based OAuth application is returning a PIN as if it were a desktop app, then remove the oauth_callback=oob parameter from your signature, if it exists. 1. http://blog.luckycal.com/?p=121 2. http://apiwiki.twitter.com/Authentication 3. http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-request_token 4. http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-oauth-access_token 5. http://groups.google.com/group/twitter-development-talk/browse_frm/thread/1c48fedf4ae7ed52/7d772dedcc756cbf#7d772dedcc756cbf Thanks, Doug