Hi, Boris @ Bryght recommend that I join this list. So hello all. I'm a little green to the drupal development process so I'm going to jump right in. I was working on Web service authentication token functionality for Drupal 4.7 (or 4.8). I wrote the code today and kept the implementation minimal. I tied it into the session.inc functions in Drupal. Which made the most sense. refer: http://drupal.org/node/46145 for the ongoing discussion. I've attached the patch to this email. Quick summary: 1. Uses the global $user 2. Tokens are passed in the GET string as: xmlrpc.php?token={big long string} 3. The tokens are just PHP session Ids 4. No modification to any current code to use. Code can use user_access(..) as normal to check privileges 5. xmlrpc.php modified so if a valid token exists, it will swap the anonymous sessionid with the authenticated one. Unrelated, but I figured this was useful. Every anonymous xmlrpc request creates a new anonymous session in the sessions table. I added a couple lines of code to get rid of anonymous sessions in xmlrpc_server() right before it send back the response. The same can probably be done for cron.php. Thanks. Ben. -- blog: http://www.mostlygeek.com