I have been experimenting with providing API for my own Rails 3 app and I implemented the OAuth-provider. With OAuth-provider, access_token is the king. Now, my idea is my users will invoke the API like: GET requests (e.g. for listing the instances of a "Comment" resource) -- curl ''http://127.0.0.1:3000/comments.xml?access_token=4fcdab32-3777-4fc0-85fd-71f4ef5c7986'' POST requests (e.g. posting a form for creating a new comment) -- curl -F "text=incredible article!" -F "access_token=4fcdab32-3777-4fc0-85fd-71f4ef5c7986" -F "article_id=1" http://127.0.0.1:3000/comments.xml (All the requests are on SSL in production). I implemented the Rack middleware as: https://gist.github.com/2582579 -- basically, it looks at the request and sets the associated user_id in the session if the request has valid access_token. It works well for GET requests, but fails for POST request. The session I modified in the Middleware is simply not available in ApplicationController in the same request! I have made sure that use ActionDispatch::Session::CookieStore appears "before" my Rack Middleware. What confuses me is it works for GET requests and not for POST requests. Does this make sense? Any idea what I may be doing wrong? (Almost about to give up on Rack and resorting to before_filter ...) Regards, Kedar -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/gtZj6LWg-owJ. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.