(copying here some notes that i just dumped to irc while i was checking tweetdeck's traffic)
so i tried out tweetdeck.
it's an official client that consumes the twitter api, almost all of it using documented features.
it logs in using "XAuth" which is a twitter specific method to get oauth tokens but using username/password. use of XAuth is restricted to apps that can prove they can't use oauth the usual way
they handle oauth1 request signing by sending requests to
http://tweetdeck.twitter.com/oauth/sign/twitter/<request url> which redirects to that url + signature parameters
in other words, oauth1 request signing is too complex for twitter
update: while i'd love to be able to say the above, the reason is most likely that they want to keep the tweetdeck consumer secret hidden from users
relevant api endpoints, nothing too weird, just not documented
POST /1.1/dm/new.json - posting new messages. pass 'text' and 'conversation_id' url encoded parameters, nothing weird
GET /1.1/dm/user_updates.json - polling. uses a 'cursor' param
GET /1.1/dm/user_inbox.json - initial fetch. returns a json with 20 conversations / last 60 messages and the cursor param for the poll
trying to access these with a normal app token returns "Your credentials do not allow access to this resource"