On Thu, 6 Aug 2009 12:01:14 -0400 Robert Fishel <bobfis...@gmail.com> wrote:
> I too thought that one should call verify credentials with Oauth. How > are you suggesting we verify that the token is still active, another > call to oauth_authenicate/authorize? The oauth_authenicate and oauth_authorize calls are not rate limited. They can't be used to hack user credentials, so they don't need to be. Authentication is a once per session event. Once authenticated, a user remains authenticated to your app until your own session controls expire. This is independent of the user's Twitter session, except that the user needs to be authenticated with Twitter in order for Twitter to authenticate the user to your app. This happens once, at the beginning of the user's session with your app and it is not subject to a DoS attack on the account/verify_credentials service. It may be useful to verify that an authorization token has been activated, but checking authorization before a call that will fail if the authorization is not available is wasted bandwidth. You should check after the call to see if the action succeeded. It's more reliable and lower bandwidth. Chris Babcock
