Hi Simon, You've figured out all the right answers! Glad to hear. SignPost should work fine for you with Twitter, but I'll just mention that it has some issues with other services with stricter OAuth implementations.
Wish you luck in finding your way to OAuth, and we're here to help if you get stuck along the way. Taylor Singletary Developer Advocate, Twitter http://twitter.com/episod On Wed, Apr 28, 2010 at 4:32 PM, Simon <simon.kitch...@airnz.co.nz> wrote: > To reply to myself: I've figured most of this out now. > > (1) > Yes, the app should be registered. > > Log on to the twitter account that messages will be published to, then > go to "dev.twitter.com/apps" and add a new app. > > (2) > When an app is defined by an account, the app is automatically added > to that account's connections. > > (3) > No, xauth is not the right tool. On the app page (either just after > defining the app, or later by account settings | connections), the "my > access token" button will create an authentication (token, secret) > pair that can be used to authenticate the server app against the > account. The "web-based authentication" step is then unnecessary. > These auth tokes do not expire (unless you explicitly log onto the > account and revoke the token). > > (4) > It looks like the signing is not too complicated, but also non- > trivial; oauth is simply more complex than basic auth. So using a lib > is probably the best solution. The Signpost project (google) appears > to have a nice small implementation. >