diff --git a/actions/apioauthaccesstoken.php b/actions/apioauthaccesstoken.php
index db82f656ad..9b99724d0c 100644
--- a/actions/apioauthaccesstoken.php
+++ b/actions/apioauthaccesstoken.php
@@ -31,7 +31,7 @@ if (!defined('STATUSNET')) {
     exit(1);
 }
 
-require_once INSTALLDIR . '/lib/api.php';
+require_once INSTALLDIR . '/lib/apioauthstore.php';
 
 /**
  * Exchange an authorized OAuth request token for an access token
@@ -43,7 +43,63 @@ require_once INSTALLDIR . '/lib/api.php';
  * @link     http://status.net/
  */
 
-class ApiOauthAccessTokenAction extends ApiAction
+class ApiOauthAccessTokenAction extends Action
 {
 
+    /**
+     * Is read only?
+     *
+     * @return boolean false
+     */
+    function isReadOnly()
+    {
+        return false;
+    }
+
+    /**
+     * Class handler.
+     *
+     * @param array $args array of arguments
+     *
+     * @return void
+     */
+    function handle($args)
+    {
+        parent::handle($args);
+
+        $datastore   = new ApiStatusNetOAuthDataStore();
+        $server      = new OAuthServer($datastore);
+        $hmac_method = new OAuthSignatureMethod_HMAC_SHA1();
+
+        $server->add_signature_method($hmac_method);
+
+	$atok = null;
+
+        try {
+            $req  = OAuthRequest::from_request();
+            $atok = $server->fetch_access_token($req);
+
+        } catch (OAuthException $e) {
+            common_log(LOG_WARN, 'API OAuthException - ' . $e->getMessage());
+	    common_debug(var_export($req, true));
+	    $this->outputError($e->getMessage());
+	    return;
+        }
+
+	if (empty($atok)) {
+	    common_debug('couldn\'t get access token.');
+	    $this->outputError("Badness.");
+	    return;
+	}
+
+	print $atok;
+    }
+
+    function outputError($msg)
+    {
+	header('HTTP/1.1 401 Unauthorized');
+	header('Content-Type: text/html; charset=utf-8');
+	print $msg . "\n";
+    }
 }
+
diff --git a/classes/Oauth_application.php b/classes/Oauth_application.php
index d4de6d82e1..5df8b9459c 100644
--- a/classes/Oauth_application.php
+++ b/classes/Oauth_application.php
@@ -88,4 +88,18 @@ class Oauth_application extends Memcached_DataObject
         return $this->update($orig);
     }
 
+    static function getByConsumerKey($key)
+    {
+	if (empty($key)) {
+	    return null;
+	}
+
+	$app = new Oauth_application();
+	$app->consumer_key = $key;
+	$app->limit(1);
+	$result = $app->find(true);
+
+	return empty($result) ? null : $app;
+    }
+
 }
diff --git a/lib/apioauthstore.php b/lib/apioauthstore.php
index a92a4d6e49..290ce89730 100644
--- a/lib/apioauthstore.php
+++ b/lib/apioauthstore.php
@@ -39,19 +39,45 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore
     function new_access_token($token, $consumer)
     {
         common_debug('new_access_token("'.$token->key.'","'.$consumer->key.'")', __FILE__);
-        $rt = new Token();
+
+	$rt = new Token();
         $rt->consumer_key = $consumer->key;
         $rt->tok = $token->key;
         $rt->type = 0; // request
-        if ($rt->find(true) && $rt->state == 1) { // authorized
+
+        $app = Oauth_application::getByConsumerKey($consumer->key);
+
+	if (empty($app)) {
+	    common_debug("empty app!");
+	}
+
+	if ($rt->find(true) && $rt->state == 1) { // authorized
             common_debug('request token found.', __FILE__);
-            $at = new Token();
+
+	    // find the associated user of the app
+
+	    $appUser = new Oauth_application_user();
+	    $appUser->application_id = $app->id;
+	    $appUser->token = $rt->tok;
+	    $result = $appUser->find(true);
+
+	    if (!empty($result)) {
+		common_debug("Oath app user found.");
+	    } else {
+		common_debug("Oauth app user not found.");
+		return null;
+	    }
+
+	    // go ahead and make the access token
+
+	    $at = new Token();
             $at->consumer_key = $consumer->key;
             $at->tok = common_good_rand(16);
             $at->secret = common_good_rand(16);
             $at->type = 1; // access
             $at->created = DB_DataObject_Cast::dateTime();
-            if (!$at->insert()) {
+
+	    if (!$at->insert()) {
                 $e = $at->_lastError;
                 common_debug('access token "'.$at->tok.'" not inserted: "'.$e->message.'"', __FILE__);
                 return null;
@@ -64,23 +90,23 @@ class ApiStatusNetOAuthDataStore extends StatusNetOAuthDataStore
                     return null;
                 }
                 common_debug('request token "'.$rt->tok.'" updated', __FILE__);
-                // Update subscription
-                // XXX: mixing levels here
-                $sub = Subscription::staticGet('token', $rt->tok);
-                if (!$sub) {
-                    return null;
-                }
-                common_debug('subscription for request token found', __FILE__);
-                $orig_sub = clone($sub);
-                $sub->token = $at->tok;
-                $sub->secret = $at->secret;
-                if (!$sub->update($orig_sub)) {
-                    return null;
-                } else {
-                    common_debug('subscription updated to use access token', __FILE__);
-                    return new OAuthToken($at->tok, $at->secret);
-                }
-            }
+
+		// update the token from req to access for the user
+
+	        $orig = clone($appUser);
+		$appUser->token = $at->tok;
+		$result = $appUser->update($orig);
+
+		if (empty($result)) {
+		    common_debug('couldn\'t update OAuth app user.');
+		    return null;
+		}
+
+		// Okay, good
+
+		return new OAuthToken($at->tok, $at->secret);
+	    }
+
         } else {
             return null;
         }