We have a bit of docs on what OAuth 1.0A is: [node:3240]. With OAuth 1.0A, you use a server-side language (perhaps Javascript if you’re running node.js, otherwise Javascript is not traditionally used as it is not a secure way to maintain token secrets).
For a web application, you start a series of requests to Twitter, resulting in you sending the user to a twitter.com page to enter their credentials. Once that step is complete you are given an access token which allows you to make further calls on their behalf.
xAuth is not granted to websites as they can leverage this callback approach instead and there’s no reason a user should be giving a third party their Twitter credentials if they don’t have to.
