PE
Protocol Explorer
OAuth 1.0a

OAuth 1.0a — Three-Legged Flow

The complete OAuth 1.0a authorization code flow. Consumer obtains a Request Token, redirects the user to authorize, receives a verifier, exchanges for an Access Token, and makes a signed API call. Each step shows the full HMAC-SHA1 signature construction.

RFC 5849
Consumer AppUser / BrowserService Provider1POST /oauth/initiate2002Redirect → /oauth/authorize3GET /oauth/authorize4POST /oauth/authorize (Gran…5Callback with oauth_verifier6POST /oauth/token7GET /api/photos (protected)
POST https://api.example.com/oauth/initiate200

The Consumer begins the OAuth dance by requesting a temporary credential (Request Token) from the Service Provider. The request is signed with HMAC-SHA1 using only the Consumer Secret (token secret is empty at this stage). The oauth_callback tells the SP where to redirect the user after authorization.

No oauth_token is sent in this request — the consumer only has its consumer_key and consumer_secret at this point.

The signing key is consumer_secret + "&" + "" (empty token secret), resulting in a trailing ampersand.

The oauth_nonce must be unique per request to prevent replay attacks.

Response includes oauth_callback_confirmed=true per OAuth 1.0a spec (RFC 5849 §2.1).

1 / 7
speed

Step 1: POST /oauth/initiate

Request / response
POSThttps://api.example.com/oauth/initiate
AuthorizationOAuth?

OAuth realm="https://api.example.com", oauth_consumer_key="dpf43f3p2l4k3l03", oa…

Content-Type?

application/x-www-form-urlencoded

Host

api.example.com

Cryptographic Signature

Construction Steps

1. 1. Collect OAuth Parameters
oauth_callback=http%3A%2F%2Fconsumer.example.com%2Fcb
oauth_consumer_key=dpf43f3p2l4k3l03
oauth_nonce=wIjqoS
oauth_signature_method=HMAC-SHA1
oauth_timestamp=137131200
oauth_version=1.0
2. 2. Percent-encode and Sort Parameters
oauth_callback=http%253A%252F%252Fconsumer.example.com%252Fcb
oauth_consumer_key=dpf43f3p2l4k3l03
oauth_nonce=wIjqoS
oauth_signature_method=HMAC-SHA1
oauth_timestamp=137131200
oauth_version=1.0
3. 3. Build Normalized Parameter String
oauth_callback=http%253A%252F%252Fconsumer.example.com%252Fcb&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_nonce=wIjqoS&oauth_signature_method=HMAC-SHA1&oauth_timestamp=137131200&oauth_version=1.0
4. 4. Build Signature Base String
POST
&
https%3A%2F%2Fapi.example.com%2Foauth%2Finitiate
&
oauth_callback%3Dhttp%253A%252F%252Fconsumer.example.com%252Fcb%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3DwIjqoS%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D137131200%26oauth_version%3D1.0
5. 5. Build Signing Key
kd94hf93k423kf44& (consumer_secret + "&" + empty_token_secret)
6. 6. Compute HMAC-SHA1 and Base64 Encode
HMAC-SHA1(signing_key, base_string) → raw bytes → Base64
→ 74KNZJeDHnMBp0EMJ9ZHe/LfEeA=

Signature Base String

POST&https%3A%2F%2Fapi.example.com%2Foauth%2Finitiate&oauth_callback%3Dhttp%253A%252F%252Fconsumer.example.com%252Fcb%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3DwIjqoS%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D137131200%26oauth_version%3D1.0

Signing Key

kd94hf93k423kf44& (consumer_secret + "&" + empty_token_secret)

Signature Output

74KNZJeDHnMBp0EMJ9ZHe/LfEeA=