Over the past couple of months the Twitter API Google Group has been overflowing with more and more disgruntled developers complaining about lack of bug fixes, slow rollout of promised features, nomobile interface for OAuth, etc. (The list goes on and on) Well I'm happy to say Twitter appears to be almost done with one much requested feature: browserless OAuth credentials exchange. It was hinted that Seesmic Look was using said exchange so today I took a peek at how Look worked behind the scenes.
To start off Look is using the standard oauth/access_token endpoint on the new https://api.twitter.com subdomain.
In addition to the standard POST headers, Look adds several values that include a username and password for the specific user.
The return value is an access_token as expected plus x_auth_expires whose meaning I can only guess at.
I didn't bother to try the exchange with my own consumer key but I would assume access is limited to specific partners for now.