Authorizing a request
The purpose of this document is to show you how to modify HTTP requests for the purpose of sending authorized requests to the X API. All of X’s APIs are based on the HTTP protocol. This means that any software you write which uses X’s APIs sends a series of structured messages to X’s servers. For example, a request to post the text “Hello Ladies + Gentlemen, a signed OAuth request!” as a Tweet will look something like this:- Which application is making the request
- Which user the request is posting on behalf of
- Whether the user has granted the application authorization to post on the user’s behalf
- Whether the request has been tampered by a third party while in transit
oauth_consumer_key | xvz1evFS4wEEPTGEFPHBog |
oauth_nonce | kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg |
oauth_signature | tnnArxj06cWHq44gCs1OSKk/jLY= |
oauth_signature_method | HMAC-SHA1 |
oauth_timestamp | 1318622958 |
oauth_token | 370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb |
oauth_version | 1.0 |
Building the header string
To build the header string, imagine writing to a string named DST.- Append the string “OAuth ” (including the space at the end) to DST.
- For each key/value pair of the 7 parameters listed above:
- Percent encode the key and append it to DST.
- Append the equals character ‘=’ to DST.
- Append a double quote ‘”’ to DST.
- Percent encode the value and append it to DST.
- Append a double quote ‘”’ to DST.
- If there are key/value pairs remaining, append a comma ‘,’ and a space ‘ ‘ to DST.