Not exactly. When you set up a Project here on YDN, you're given an AppID, Consumer Key, and Consumer Secret. These are all tied to your application, which is user independent.

Say that a user comes to try out your application. At that point, you'll generate a request token by passing up your Consumer Key, Consumer Secret, and a callback URL to Yahoo!'s login servers. The request token will come back with a token/secret as well as a OAuth Request Auth URL.

When you send the user to the OAuth Request Auth URL, they'll be presented with a login prompt, and then the option to allow your application to access their information. If they agree to that, they'll be redirected back to the callback URL (which ideally is some page served up by your system) with a token and verifier passed along as URL parameters. The token will let you identify which request token to use, which you'll need to have stored somewhere.

Armed with your consumer key, consumer secret, request token, request token secret, and verifier, you can make a request to the Yahoo! login servers for an access token. This is the thing that'll let you actually make requests to our services, and it is scoped to a particular user.

Does all that make sense? Effectively, when you go through OAuth, a particular user will grant you permission to access their data, and the access token you receive will be the proof you need to pass up when you make your request.

Thanks Sean,
you explanation is crystal clear!

one quick follow up question: "user will grant you permission to access their data"
how long is that permission valid ?
indefinitely ?

One last post before I go home. :PPretty sure you have the ability to refresh the token indefinitely as long as the user doesn't actively block you out, but I could be wrong about that.