- User fetches token with just format=json
- User tries to make an edit using format=json&callback=foo not realizing that a different token is required (or they accidentally have callback checked in api sandbox without realizing [easier to do than it sounds])
- User gets a badtoken error
It'd be nice if the error message was more helpful. Its non-obvious that the token when using callback= is totally different. Also maybe apisandbox should fetch the anon token if callback=foo parameter is set.