The default response value for the invalid OAuth request is 401. Looking at the HTTP specs for response codes (http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), it seems that 403 Forbidden is more appropriate. 401 indicates that the client can try again using HTTP Authorization, which obviously isn't allowed in OAuth requests.
Not a big deal, and I could be wrong. Just thought I'd bring it up for discussion.
The default response value for the invalid OAuth request is 401. Looking at the HTTP specs for response codes (http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html), it seems that 403 Forbidden is more appropriate. 401 indicates that the client can try again using HTTP Authorization, which obviously isn't allowed in OAuth requests.
Not a big deal, and I could be wrong. Just thought I'd bring it up for discussion.