Documentation

OAuth 1.0a

OAuth 1.0a¶

Authentication
OAuth 1.0a

What is OAuth 1.0a?¶

OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.

Paw natively supports OAuth 1 signature and Authorization header.

Setup OAuth 1.0a¶

Find your OAuth 1 credentials

Find your OAuth 1 credentials¶

App Credentials: the app credentials (Consumer Key and Consumer Secret) should be easy to find as they are usually given directly by the provider.
User Credentials: the user credentials (Token aka. Access Token, and Secret aka. Access Token Secret) may be harder to find, depending on the API provider.

Note: Paw doesn’t handle the token request and authorization process for OAuth 1 yet, so you have to request a token yourself. You may check the OAuth 1.0a Token Generator to do this.

Set the authorization type

Set the authorization type¶

Go to the Auth tab and choose OAuth 1.

Enter your credentials

Enter your credentials¶

Using `HMAC-SHA1` and `PLAINTEXT` signature algorithms¶

Consumer Key: app credentials.

Consumer Secret: app credentials.

Token (aka. Access Token): user credentials.

Token Secret (aka. Access Token Secret): user credentials.

Timestamp: for a normal use, leave this as is.

Nonce: for a normal use, leave this as is.

Signature Method: pick the signature algorithm it’s expecting (HMAC-SHA1 or PLAINTEXT).

Callback URL: you probably can leave this empty.

Additional Params: you probably can leave this empty, unless you want to pass additional OAuth fields (e.g. myfield=myvalue).

Body Hash: whether to include a body hash field when required by the spec. Can depend on the provider.

Using `RSA-SHA1` signature algorithm¶

Consumer Key: app credentials.

Consumer Private Key: RSA Private Key given by OAuth provider.

Token (aka. Access Token): user credentials.

Timestamp: for a normal use, leave this as is.

Nonce: for a normal use, leave this as is.

Signature Method: pick the signature algorithm it’s expecting (RSA-SHA1).

Callback URL: you probably can leave this empty.

Additional Params: you probably can leave this empty, unless you want to pass additional OAuth fields (e.g. myfield=myvalue).

Body Hash: whether to include a body hash field when required by the spec. Can depend on the provider.

Done

Done¶

Paw will add the Authorization header automatically. You can check it in the Headers tab. Your request is now configured for OAuth 1 and you’re ready to send the request!

Use Environment Variables¶

orphan:

As you may often switch between development and production environments, or between several users, you may need to have several OAuth credentials you may apply to your Requests. You can keep those credentials in Environments, and then use them in the OAuth Header Dynamic Value.

Read more about Environments and how to use Environments as Reusable Presets.

Examples¶

Twitter API with Paw