Creating a signature
This page explains how to generate an OAuth 1.0a HMAC-SHA1 signature for an HTTP request. This signature will be suitable for passing to the X API as part of an authorized request, as described in authorizing a request. The request used to demonstrate signing is a POST to https://api.x.com/1.1/statuses/update.json. The raw request looks like this:HTTP Method | POST |
Base URL | https://api.x.com/1.1/statuses/update.json |
Collecting parameters
Next, gather all of the parameters included in the request. There are two such locations for these additional parameters - the URL (as part of the query string) and the request body. The sample request includes a single parameter in both locations:status | Hello Ladies + Gentlemen, a signed OAuth request! |
include_entities | true |
oauth_consumer_key | xvz1evFS4wEEPTGEFPHBog |
oauth_nonce | kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg |
oauth_signature_method | HMAC-SHA1 |
oauth_timestamp | 1318622958 |
oauth_token | 370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb |
oauth_version | 1.0 |
- Percent encode every key and value that will be signed.
- Sort the list of parameters alphabetically [1] by encoded key [2].
- For each key/value pair:
- Append the encoded key to the output string.
- Append the ‘=’ character to the output string.
- Append the encoded value to the output string.
- If there are more key/value pairs remaining, append a ‘&’ character to the output string.
status | Hello Ladies + Gentlemen, a signed OAuth request! |
---|---|
include_entities | true |
oauth_consumer_key | xvz1evFS4wEEPTGEFPHBog |
oauth_nonce | kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg |
oauth_signature_method | HMAC-SHA1 |
oauth_timestamp | 1318622958 |
oauth_token | 370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb |
oauth_version | 1.0 |
Creating the signature base string
The three values collected so far must be joined to make a single string, from which the signature will be generated. This is called the signature base string by the OAuth specification. To encode the HTTP method, base URL, and parameter string into a single string:- Convert the HTTP Method to uppercase and set the output string equal to this value.
- Append the ‘&’ character to the output string.
- Percent encode the URL and append it to the output string.
- Append the ‘&’ character to the output string.
- Percent encode the parameter string and append it to the output string.
Getting a signing key
The last pieces of data to collect are secrets which identify the X app making the request, and the user the request is on behalf of. It is very important to note that these values are incredibly sensitive and should never be shared with anyone. The value which identifies your app to X is called the consumer secret and can be found in the developer portal by viewing the app details page. This will be the same for every request your X app sends.Consumer secret | kAcSOqF21Fu85e7zjz7ZN2U4ZRhfV3WpwPAoE3Z7kBw |
OAuth token secret | LswwdoUaIvS8ltyTt5jkRh4J50vUPVVHtR2YPi5kE |
Signing key | kAcSOqF21Fu85e7zjz7ZN2U4ZRhfV3WpwPAoE3Z7kBw&LswwdoUaIvS8ltyTt5jkRh4J50vUPVVHtR2YPi5kE |
Calculating the signature
Finally, the signature is calculated by passing the signature base string and signing key to the HMAC-SHA1 hashing algorithm. The details of the algorithm are explained as hash_hmac function. The output of the HMAC signing function is a binary string. This needs to be base64 encoded to produce the signature string. For example, the output given the base string and signing key given on this page is 2E CF 77 84 98 99 6D 0D DA 90 5D C7 17 7C 75 07 3F 3F CD 4E. That value, when converted to base64, is the OAuth signature for this request:OAuth signature | Ls93hJiZbQ3akF3HF3x1Bz8/zU4= |