Request Token Expiration - 5 minutes, single use only
Access Token Expiration - never, user revocation only
Obtaining an unauthorized request token
The application/service asks for an unauthorized request token.
SmugMug returns an unauthorized request token.
Obtaining User Authorization
The application/service redirects the end user to SmugMug to authenticate and authorize the application/service to access his/her account. The application/service can request specific Access (Public [default] or Full) and Permissions (Read [default], Add or Modify) for a user's account by including &Access and/or &Permissions in the authorization url.
The end user logins into their SmugMug account.
The end user authorizes the application/service to access his/her account.
If application/service has a callback url, the end user is redirected automatically after authorization. Otherwise, the end user closes the browser window and returns to the application or service manually.
Obtaining an Access Token
The application/service presents the authorized request token.