You would use two-legged OAuth in conjunction with xAuth. For the requests your app makes that don't require a user, you'd use two-legged OAuth.
The process for acquiring an accessToken in xAuth is itself almost a two-legged OAuth operation (just like the request token step). The way you formulate a two-legged request is essentially identical. The point of xAuth is to give you a path to exchange login and password for an access token. The intent is that you'll dispose of the logins and passwords and store only the access token to make requests on the users behalf. If the access token is manually expired by the user, you would ask them for their login information again and exchange for an access token again. The ultimate goal here is for there to be no justifiable reason for developers to retain logins and passwords. The URL of an application is not related to your use of an access token. However, if you have two websites, one about dogs and the other about cats for example, and I grant access to my twitter account for the dog website -- it would not be acceptable that the cat website also had access to my twitter account. Being above the board at all times about how far granted access goes is a best practice all should keep in mind. In this (admittedly silly) example, it would be the best practice to have two client applications/API keys registered with Twitter: one for the dogs site and one for the cats site. Taylor Singletary Developer Advocate, Twitter http://twitter.com/episod On Tue, Mar 23, 2010 at 1:31 PM, Lil Peck <lilp...@gmail.com> wrote: > I have some really stupid questions, regarding xauth. (Sorry.) > > Looking at this article: > > http://www.reynoldsftw.com/2010/03/using-xauth-an-alternate-oauth-from-twitter/ > > Can xauth be used as the "2 legged" model? > > The article says > > > First off though, you need to send an email to a...@twitter.com and > ask them to register your OAuth application to use xAuth. Once > approved (you’ll get an email at time of writing) you make a call to > the API method “https://api.twitter.com/oauth/access_token” > > > > After one has gotten that token, can one use it for all of one's web > based apps regardless of URL of the app? > > To unsubscribe from this group, send email to twitter-development-talk+ > unsubscribegooglegroups.com or reply to this email with the words "REMOVE > ME" as the subject. > To unsubscribe from this group, send email to twitter-development-talk+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.