include oauth_verifier as a header, not a parameter #1825
Per RFC 5849, the POST request for
Per [RFC 5849](http://tools.ietf.org/html/rfc5849), the POST request for the access token should not include a body, but instead include the verifier as part of the "Authorization: OAuth" header. The current code is broken for authentication against servers which verify the body of the POST request (in particular, Fitbit has recently switched to this verification).
Hi @paulswartz; I'm discussing this with the team and so far it looks to me like this is something we might want to take. In the meantime, would you be able to sign the Meteor CLA? https://contribute.meteor.com/
(We're supposed to have a bot that asks you to do this, but looks like our bot might be sickly right now.)