When I send incorrect credentials with a user/show.json command I expect to get a 401 code from twitter. However, when I do this from a browser using xmlhttprequest I get 400 instead. Actually, for the first 100 tries I get 200 codes, and there after I get 400 codes, because there is a rate limit of 100 per hour. The point is, at no time does authentication ever occur.
Could this be a bug in twitter? As this post explains http://groups.google.com/group/twitter-development-talk/browse_thread/thread/35c3918ec2317e98/d05dd17c5a261dfa?lnk=gst&q=xmlhttprequest+401#d05dd17c5a261dfa the RFC dictates that the browser does not send credentials until it first receives a 401.
