The first two steps are the same for both the new and old access methods.

1. Use the key application page to get an API Key.

2. Use the apps by you page to get your API Secret.

The rest of the process is fairly similar in the new and old access methods.

3. Get a Request Token, by calling

   http://www.flickr.com/services/oauth/request_token

   One of the parameters in this call is the oauth_callback, which gets used later. The call gets signed in the standard OAuth way, using:

   consumer key:        API Key
   consumer key secret: API Secret
   token:               empty
   token secret:        empty

   In order to avoid exposing my API Secret to the world, I keep it server-side only, so this call gets done via a proxy. The call returns two parameters: oauth_token which is your Request Token, and oauth_token_secret which is your Request Token Secret.

3. The OAuth method has an explicit "get a request token" step; the old method does not.

4. Send the user to the authorization page at flickr:

   http://www.flickr.com/services/oauth/authorize?oauth_token=[Request Token]&perms=[perms]

   This URL does not need to be signed.

4. Send the user to the authorization page at flickr. The URL looks like this:

   http://flickr.com/services/auth/?api_key=[API Key]&perms=[perms]

   You sign the URL using your API Secret and then send the user there. In order to avoid exposing my API Secret to the world, I keep it server-side only, so the client code displays a link to a CGI script that signs the request and generates a redirect to the real authorization URL.

5. Once the user authorizes your app, flickr does a redirect back to you at your Callback URL, which was set in the request token step. The Callback gets passed two parameters: oauth_token, which is the same Request Token you sent, and oauth_verifier.

5. Once the user authorizes your app, flickr does a redirect back to you at your Callback URL. You set the Callback URL for your app by using the "Edit the authentication flow" link from the above "apps by you" page. The Callback gets passed a single parameter, called the Frob.

6. Now you can get an actual Access Token and Secret, using:

   http://www.flickr.com/services/oauth/access_token

   You send it the oauth_verifier as a parameter, and sign the request using:

   consumer key:        API Key
   consumer key secret: API Secret
   token:               Request Token
   token secret:        Request Token Secret

   Once again the call is done via a proxy, to keep the API Secret secret. This returns an oauth_token and oauth_token_secret, and also the flickr user_nsid / username / fullname of the authenticated user. My implementation saves the Userid and Token/Secret in a server-side database, which allows me to authenticate the user later.

6. You need to convert the Frob into a Token, using flickr.auth.getToken. In my implementation, the getToken is done by a server-side CGI, which then does a redirect back to the original app page and saves the Token in a cookie at the same time. It also saves the Userid and Token in a server-side database, which allows me to authenticate the user later.

7. Once you have a Token, you can call flickr.auth.oauth.checkToken to check that it's valid, and return the userid and permissions that it represents. This call must be signed with the API Secret, so once again I do it server-side using a proxy. In subsequent sessions, if you already have a Token in a cookie, you can skip directly to this step to check whether it's still good.

7. Once you have a Token, you can call flickr.auth.checkToken to check that it's valid, and return the userid and permissions that it represents. This call must be signed with the API Secret, so once again I do it server-side using a proxy. In subsequent sessions, if you already have a Token in a cookie, you can skip directly to this step to check whether it's still good.

8. Finally, to make authenticated API calls, you sign them using:

   consumer key:        API Key
   consumer key secret: API Secret
   token:               Access Token
   token secret:        Access Token Secret

8. Finally, to make authenticated API calls, you sign them just like the checkToken call - in my version, again, via a server-side proxy.