(copying here some notes that i just dumped to irc while i was checking tweetdeck's traffic)

so i tried out tweetdeck.

it's an official client that consumes the twitter api, almost all of it using documented features.

login

it logs in using "XAuth" which is a twitter specific method to get oauth tokens but using username/password. use of XAuth is restricted to apps that can prove they can't use oauth the usual way

https://dev.twitter.com/oauth/xauth

request signing

they handle oauth1 request signing by sending requests to http://tweetdeck.twitter.com/oauth/sign/twitter/<request url> which redirects to that url + signature parameters

in other words, oauth1 request signing is too complex for twitter

update: while i'd love to be able to say the above, the reason is most likely that they want to keep the tweetdeck consumer secret hidden from users

group DMs

relevant api endpoints, nothing too weird, just not documented

POST /1.1/dm/new.json - posting new messages. pass 'text' and 'conversation_id' url encoded parameters, nothing weird

GET /1.1/dm/user_updates.json - polling. uses a 'cursor' param

GET /1.1/dm/user_inbox.json - initial fetch. returns a json with 20 conversations / last 60 messages and the cursor param for the poll

trying to access these with a normal app token returns "Your credentials do not allow access to this resource"