[no subject]

But I realized we are going to have some issues:

1. The request_token, authorize, and access_token base URLs need to be
done the same way on all implementing servers, *or* we need to have
them specified in the root resource we recently added to the API (this
means one additional request before starting the OAuth process).

2. The OAuth consumer key and consumer secret need to be identical in
each server implementation, or specified by the user, or acquired
through some other hackery.  This could be a big problem, I think.
Perhaps the solution is to generate dozens of reserved pairs just for
this API, and work together to assign them to different client apps?
I think it would be really handy of Tomboy, Tomdroid, Conboy, etcs,
all had different consumer keys and secrets (so if one of them has a
bug that DDoS's servers, we can selectively throttle).  I guess that
could also be done with user agent, but I think that's not the "right"
way?

Interested in creative solutions to these problems.

Sandy