For POST/state-changing requests two tokens are required: the
authentication token (passed in as oauth_token in your case) and the
action token (passed in as T, obtained from /reader/api/0/token -
meant to protect against XSRF attacks, needs to be refetched every 30
minutes).
Mihai