API Concepts
The API is built around the conviction that you own the data you put in anyMeta and you should be able to do what you want, whether it's create, read, update, or delete records. The goal is that you should be able to do anything with the API that you can do on the main website and, accordingly the Javascript on the website makes use of the API.
Authentication, and Authorization
OAuth is used both to authorize an API client to act as an anyMeta user and, once completed, to authenticate the API client as the anyMeta user in each API request it makes. There is currently no way for a user to restrict the authorization they give to an API client to a subset of their own permissions, so an authorized API client will always have all the permissions the anyMeta user has. Naturally these permissions may change if the anyMeta user's permissions change.
All OAuth management is done from /module/OAuth, for example http://www.mediamatic.net/module/OAuth. If you're using an existing anyMeta library or app to interface with an anyMeta site then they will send you to the site to authorize their request to use your account. You should be able to easily approve it and then start using the library or app to make API requests. You can see all authorized apps at /module/OAuth/server/token/list.
If you're a developer making apps on top of the API or just need to access the API directly with raw HTTP requests, then you'll be particularly interested in information about how to be an OAuth consumer. /module/OAuth/server/ is the place to start and you can register an app and get a consumer key and secret at /module/OAuth/server/register. Registration is instantaneous. Make sure to give as much information as possible so future users will know they can trust your app with access to their data!
If you're making something that you will distribute to end users, like a mobile app, you probably won't want to include your consumer key and secret. anyMeta supports requesting an access token without. If your OAuth library requires a consumer token and secret, try using empty strings.
Publishing State
One important property you need to be aware of is 'pubstate'. All Things have this property and when creating them via the API they will default to the unpublished state, or '0'. Passing the 'pubstate' property with value '1' will mark the Thing as published. These are the two most important publishing states but there are more, so treat this property as a number, not a boolean.
Response Formats
The default response format is XML but JSON may be returned instead if you add the query parameter 'format' with the value 'json' to the request URL.