I just submitted a whitelisting request, along with a comment along the following lines:
I think it would be good if Twitter did API call accounting based on the HTTP auth header whenever one is sent - even if the call itself does not require auth. I'm at home right now and although my account (@terrycojones) is whitelisted, my home IP is not. So while I can make a decent number of authenticated calls, I can't do much with the app I'm trying to write as it's making non-authenticated calls. The non-authenticated calls are accounted for by IP. Even if my home IP were whitelisted, I'd be stuck if I were in a hotel. The concrete suggestion is: to always do API call accounting based on the passed auth details, and if no auth information is passed, then fall back to IP-based accounting. That wouldn't change much and is backwards compatible. Auth requiring calls would be just as they were. But in the case of non-auth requiring calls, the developer would have the choice: send auth to get account based accounting, don't send it to get IP based accounting. Terry
