Ryan, By credentials, I meant the OAuth tokens, consumer keys, etc.
Wouldn't they be visible to the browser/desktop-client? And hence, couldn't they be copied and reused by somebody so determined? Personally, I think the chance of this kind of attack would be rare and limited. I just wanted to know if this is a tolerable risk to take and one that won't cause my application to be blocked. thanks, Harshad On Sat, Nov 7, 2009 at 7:00 PM, ryan alford <ryanalford...@gmail.com> wrote: > There are no app-specific servers. With OAuth, instead of passing user > credentials, you use YOUR consumer key and consumer secret which identifies > your application. > > You get an access token after the user has allowed your application to have > access to their account. You will then use that access token, your consumer > secret, and your consumer key to make the requests to the API. > > Ryan > > > On Sat, Nov 7, 2009 at 8:13 AM, Harshad RJ <harshad...@gmail.com> wrote: > >> Hi, >> >> I am trying to wrap my mind around OAuth, and I am not sure I understand >> the subtleties. >> >> Is it possible to make OAuth authenticated requests from browser * >> directly* to the Twitter API? Is it a safe & recommended way? >> >> Or do all API requests have to go through an application-specific server, >> to keep the credentials a secret? >> >> My hunch is that yes, an app-specific server would be required. But in >> that case, how do desktop-clients manage it? Or do they also route the calls >> through an intermediary? >> >> thanks in advance, >> -- >> Harshad RJ >> http://hrj.wikidot.com >> > > -- Harshad RJ http://hrj.wikidot.com