So, here's what I'm really curious about. Anybody know why they didn't use OAuth 2.0? Some of the bits of this API smell somewhat like OAuth, but this seems simpler and is handled mostly in the frontend (via an iframe I assume) vs. the URL redirect dance of OAuth.

Is this what OAuth should look like in a more front-end centric web day and age?