OAuth 1.0 enables client applications to access data provided by a third-party API. For example, as a user of a service, you can grant another application access to your data with that service without exposing details like your username and password. Accessing user data with OAuth 1.0 involves a few requests back and forth between client application, user, and service provider.
OAuth 1.0 is sometimes referred to as "two-legged" (auth only between client and server) or "three-legged" (where a client requests data for a user of a third-party service). An example OAuth 1.0 flow could run as follows:
Postman supports OAuth Core 1.0 Revision A.
To use OAuth 1.0, do the following:
In the Authorization tab for a request, select OAuth 1.0 from the Type dropdown list.
Select a Signature Method from the dropdown list. This will determine which parameters to include with your request. Postman supports HMAC-SHA1
, HMAC-SHA256
, HMAC-SHA512
, RSA-SHA1
, RSA-SHA256
, RSA-SHA512
, and PLAINTEXT
.
HMAC
or PLAINTEXT
signature, Postman will provide Consumer Key, Consumer Secret, Access Token, and Token Secret fields.RSA
signature, Postman will present Consumer Key, Access Token, and Private Key inputs.You can optionally set advanced details—otherwise Postman will try to autocomplete these.
You can include the auth details either in the request headers or in the body / URL. Select one from the Add authorization to dropdown list. Open the Headers or Body tab if you want to check how the details will be included with the request.
If you send the OAuth 1.0 data in the headers, an Authorization header sending your key and secret values is appended to the string OAuth
together with additional comma-separated required details.
Postman will append the OAuth 1.0 information to the request Headers when you have completed all required fields in your Authorization setup.
If you send the OAuth 1.0 data in the body and URL, the data is added either in the request Body or Parameters depending on the request method.
If the request method is POST
or PUT
, and if the request body type is x-www-form-urlencoded
, Postman will add the authorization parameters to the request body. Otherwise, for example in a GET
request, your key and secret data will be passed in the URL query parameters.
The OAuth 1.0 auth parameter values are as follows:
HMAC
and PLAINTEXT
signing methods.)HMAC
and PLAINTEXT
signing methods.)RSA
signing methods.)WWW-Authenticate
response header.application/x-www-form-urlencoded
. (Deactivated when you're using callback URL / verifier.)If your server implementation of OAuth 1.0 requires it, select Add empty parameters to signature.
You can also select the checkbox to Encode the parameters in the authorization header for your request.
Last modified: 2022/12/12
Additional resources
Videos
Blog posts
Case Studies