The first step in talking to a mastodon/ostatus instance is to authenticate to the API. The docs are rather scarse on this topic so I'm putting a path-of-least-resistance note here on how to get started.

OAUTH has the concept of an app that is accessing your account. This in theory allows the denial of a particular piece of software by the site administrator. Start by registering the app with the mastodon instance.

$ curl https://mastodon.xyz/api/v1/apps -d "client_name=superbot&redirect_uris=http://example.com&scopes=read"

{"id":2..., "redirect_uri":"http://example.com", "client_id":"51d...", "client_secret":"80a..."}

Once a client ID is established, visit the authorize endpoint in a browser.

https://mastodon.xyz/oauth/authorize?client_id=51d..&response_type=code&redirect_uri=http://example.com

The browser will be redirected to the redirect_uri with a code.

http://example.com/?code=807...

Here's where it all comes together, the client id, the client secret, and the code.

$ curl -D - 'https://mastodon.xyz/oauth/token' -d 'client_id=51d...&client_secret=80a...&
redirect_uri=http://example.com&grant_type=authorization_code&code=807...'
{"access_token":"c5a...","token_type":"bearer","scope":"read","created_at":1492622263}

Then you will be rewarded with an access_token for use in private mastodon api calls.

In reading some other code, it should work to use a grant_type of password, the browser step can be skipped, go directly to the oauth/token step and add username= and password=. I tried this myself without success but it might have been something small I overlooked thats causing the error. Also username/password is not recommended as an auth flow anyways.