diff --git a/actions/apioauthauthorize.php b/actions/apioauthauthorize.php
index d0b6211400..ea5c30c2ac 100644
--- a/actions/apioauthauthorize.php
+++ b/actions/apioauthauthorize.php
@@ -464,7 +464,10 @@ class ApiOauthAuthorizeAction extends Action
             $pin->showPage();
         } else {
 
-            // NOTE: This should probably never happen; trhow an error instead?
+            // NOTE: This would only happen if an application registered as
+            // a web application but sent in 'oob' for the oauth_callback
+            // parameter. Usually web apps will send in a callback and
+            // not use the pin-based workflow.
 
             $info = new InfoAction(
                 $title,
diff --git a/actions/apioauthrequesttoken.php b/actions/apioauthrequesttoken.php
index 4f4c2c8fb2..825460f93c 100644
--- a/actions/apioauthrequesttoken.php
+++ b/actions/apioauthrequesttoken.php
@@ -87,7 +87,7 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
 
         try {
 
-            $req   = OAuthRequest::from_request();
+            $req = OAuthRequest::from_request();
 
             // verify callback
             if (!$this->verifyCallback($req->get_parameter('oauth_callback'))) {
@@ -137,6 +137,11 @@ class ApiOauthRequestTokenAction extends ApiOauthAction
     {
         if ($callback == "oob") {
             common_debug("OAuth request token requested for out of bounds client.");
+
+            // XXX: Should we throw an error if a client is registered as a
+            // web application but requests the pin based workflow? For now I'm
+            // allowing the workflow to proceed and issuing a pin. --Zach
+
             return true;
         } else {
             return Validate::uri(