Except that this case fails for calls such as statuses/friends if the
user isn't authenticated but you think he is you get a completely
valid (from one point of view) set of results back but they do not
include any protected users. Therefore a call to verify_credentials is
necessary to ensure that you are processing the correct data.


On Thu, Aug 6, 2009 at 10:36 PM, Chris Babcock<cbabc...@asciiking.com> wrote:
> On Thu, 6 Aug 2009 12:01:14 -0400
> Robert Fishel <bobfis...@gmail.com> wrote:
>> I too thought that one should call verify credentials with Oauth. How
>> are you suggesting we verify that the token is still active, another
>> call to oauth_authenicate/authorize?
> The oauth_authenicate and oauth_authorize calls are not rate limited.
> They can't be used to hack user credentials, so they don't need to be.
> Authentication is a once per session event. Once authenticated, a user
> remains authenticated to your app until your own session controls
> expire. This is independent of the user's Twitter session, except that
> the user needs to be authenticated with Twitter in order for Twitter
> to authenticate the user to your app. This happens once, at the
> beginning of the user's session with your app and it is not subject to
> a DoS attack on the account/verify_credentials service.
> It may be useful to verify that an authorization token has been
> activated, but checking authorization before a call that will fail if
> the authorization is not available is wasted bandwidth. You should
> check after the call to see if the action succeeded. It's more reliable
> and lower bandwidth.
> Chris Babcock

Reply via email to