I know this is old but the OAuth advice aged well. Two years later it's still the part of every integration project that eats the most time relative to how simple it seems... Prefixed tokens especially is one of those things that seems obvious in hindsight but saves a ton in support.
