From dfc9b78a163bdae62742b982257add4838751ba1 Mon Sep 17 00:00:00 2001
From: Eugen <eugen@zeonfederated.com>
Date: Wed, 5 Oct 2016 14:01:28 +0200
Subject: [PATCH] Updated Testing with cURL (markdown)

---
 Testing-with-cURL.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Testing-with-cURL.md b/Testing-with-cURL.md
index 8701e4c..348796a 100644
--- a/Testing-with-cURL.md
+++ b/Testing-with-cURL.md
@@ -1,6 +1,6 @@
 Mastodon builds around the idea of being a server first, rather than a client itself. Similarly to how a XMPP chat server communicates with others and with its own clients, Mastodon takes care of federation to other networks, like other Mastodon or GNU Social instances. So Mastodon provides a REST API, and a 3rd-party app system for using it via OAuth2.
 
-Once logged in on Mastodon, you can go to Authorized Apps -> Register new app here. You can create a new OAuth application, and once you do so, you will get a Client ID and a Client Secret. You can use those with an OAuth client library of your choice, but in this example we want to just use the API over cURL.
+You can get a client ID and client secret required for OAuth [via an API end-point](https://github.com/Gargron/mastodon/wiki/API#oauth-apps).
 
 From these two, you will need to acquire an access token. It is possible to do using your account's e-mail and password like this:
 
@@ -8,4 +8,6 @@ From these two, you will need to acquire an access token. It is possible to do u
 
 The response will be a JSON object containing the key `access_token`. Use that token in any API requests by setting a header like this:
 
-    curl --header "Authorization: Bearer ACCESS_TOKEN_HERE" -sS https://mastodon.social/api/statuses/home
\ No newline at end of file
+    curl --header "Authorization: Bearer ACCESS_TOKEN_HERE" -sS https://mastodon.social/api/statuses/home
+
+Please note that the password-based approach is not recommended especially if you're dealing with other user's accounts and not just your own. Usually you would use the authorization grant approach where you redirect the user to a web page on the original site where they can login and authorize the application and are then redirected back to your application with an access code.
\ No newline at end of file