What's OAuth ?
An open protocol to allow secure API authentication.

Huh ?
Basically, it's a method that allows users to authorize apps or services to use their SmugMug account without having to provide their SmugMug username or password.

• OAuth Protocol - http://oauth.net
• Beginner's Guide to OAuth - http://www.hueniverse.com/hueniverse/2007/10/beginners-gui-1.html

• Consumer - The application or service.
• Service Provider - SmugMug
• End User - The SmugMug user who authorizes the consumer to access their account.
• Request Token - The unique token used to initiate the authorization.
• Access Token - The unique token used to access an end user's account. An authorized request token is exchanged for an access token.

• Request Token URL - http://api.smugmug.com/services/oauth/getRequestToken.mg
• Authorize URL - http://api.smugmug.com/services/oauth/authorize.mg
• Access Token URL - http://api.smugmug.com/services/oauth/getAccessToken.mg
• Signature Methods - HMAC-SHA1, PLAINTEXT
• Request Token Expiration - 20 minutes, single use only
• Access Token Expiration - never

API Methods smugmug.auth.getRequestToken and smugmug.auth.getAccessToken are also available.

Obtaining an unauthorized request token

1. The application/service asks for an unauthorized request token.
2. SmugMug returns an unauthorized request token.

Obtaining User Authorization

1. The application/service redirects the end user to SmugMug to authenticate and authorize the application/service to access his/her account.
2. The end user logins into their SmugMug account.
3. The end user authorizes the application/service to access his/her account.
4. If application/service has a callback url, the end user is redirected automatically after authorization. Otherwise, the end user closes the browser window and returns to the application or service manually.

Obtaining an Access Token

1. The application/service presents the authorized request token.
2. SmugMug returns an access token
3. The application/service stores the access token.