currently it appears that there is no facility for an application
("consumer") to expire authorization.

The twitter server can't do it automatically, since it doesn't really
know when the consumer is finished with the authorized session, if ever.

The user doesn't even know that authorization tokens and secrets exist,
for the most part.

However it could be good in some cases to enable the consumer
application to explicitly say that it doesn't want the  authorization
any more. This would protect against the case of token/secret pair and
consumer key/secret pairs being re-used by others.

Is there any consideration for this? Basically all that would be needed
is an API entry point where the consumer says "thanks but no more",
signed and verified as normal.

Bernd Stramm

Reply via email to