Twitter Applications can now use Tipjoy API with Twitter OAuth credentials, instead of Twitter Passwords.

We recently pushed an exciting update to the Tipjoy API. Twitter Apps no long need to store passwords for their Twitter users to access our API - they can use OAuth.

OAuth is a new authentication scheme that Twitter has rolled out to replace requiring Twitter users to give others their password.

This API update is great because there has been a lot of discussion lately about OAuth not allowing twitter mashups, and we think we're the first to deploy a solution. This problem is best illustrated with an example.

TweetDeck can post a picture to TwitPic using a user's twitter username and password.
Then TwitPic could use that same username and password create a TwitPic account (verified with a call to Twitter) and also to post a tweet to Twitter with a link to the picture.

If a user grants TweetDeck OAuth access to Twitter, Twitter gives TweetDeck a secret key for that user. TweetDeck then "signs" each request to Twitter with the secret, but shouldn't send that key to Twitter with the API request.

So if TweetDeck wants to communicate with TwitPic, how can they do it? Unlike a password, you couldn't share that secret key. TweetDeck can't send a request to TwitPic that TwitPic could use to post a tweet, and TwitPic can't verify that TweetDeck has access to that user at all.

Our solution is to create a pre-signed request to the Twitter API that a 3rd party can use to verify the user. In the example, TwitPic could take this signed request, and ask Twitter if it is legit. If so, they can post the picture and even make a TwitPic account. TwitPic can't tweet on behalf of the user, but that's OK. TweetDeck can make the tweet, and just link the picture.

For Tipjoy, 3rd party applications can give still use OAuth, and also use our API to create Tipjoy accounts, initiate payments, get Tipjoy balance information, etc.

We think this is pretty cool.