Changes

* In OAuth 1.0 credentials for , API calls include call authentication requires both the consumer's master user-specific secret in addition to and the userdata-specific consumer secret, while . In OAuth 2.0 credentials for API calls require , only the user-specific secretis needed to authenticate API calls.

* OAuth 1.0 is optimized for using HMAC during token establishment to establish tokens credentials and make API calls, while OAuth 2.0 is optimized for bearer tokens over SSL (essentially, passwords over an encrypted channel.) OAuth 1.0 is technically capable of bearer tokens, but no one uses this because it would require sending the master-secret in every call. RSA signatures can be used in OAuth 1.0 instead of HMAC, but few providers support it, and the option has gone away in OAuth 2.0. HMAC signatures of API calls are supported in OAuth 2.0 with a simplified canonicalization algorithm, but do not appear to be in use by providers at this point(May 2011).

* OAuth 1.0 encourages the use of long-lasting user tokens, while OAuth 2.0 encourages the use of short-term user tokens with a built-in refresh mechanism. The refresh mechanism in OAuth 2.0 requires the consumer's master secret. This refresh design is most useful when user tokens are built to be self-verifiable (e.g. containing their own signature), so that large-scale OAuth deployments can scale horizontally more easily.