Authenticate with OAuth 1.0 authentication in Postman

OAuth 1.0 enables client applications to access data provided by a third-party API. For example, as a user of a service, you can grant another application access to your data with that service without exposing details like your username and password. Accessing user data with OAuth 1.0 involves a few requests back and forth between client application, user, and service provider.

OAuth 1.0 overview

OAuth 1.0 is sometimes referred to as "two-legged" (auth only between client and server) or "three-legged" (where a client requests data for a user of a third-party service). An example OAuth 1.0 flow could run as follows:

  • To request user data with a third-party service, a consumer (client application) requests an access token using credentials such as a key and secret.
  • The service provider issues an initial token (that doesn't provide access to user data) and the consumer requests authorization from the user.
  • When the user grants auth, the consumer makes a request to exchange the temporary token for an access token, passing verification from the user auth.
  • The service provider returns the access token and the consumer can then make requests to the service provider to access the user's data.

Postman supports OAuth Core 1.0 Revision A.

Use OAuth 1.0

To use OAuth 1.0, do the following:

  1. In the Authorization tab for a request, select OAuth 1.0 from the Auth Type dropdown list.

  2. Select the Add authorization to dropdown list to specify if you want to pass the auth details in the request headers, or body and URL.

  3. Select a Signature Method from the dropdown list that your API uses to authenticate requests. Then enter specific details depending on whether you select an HMAC, PLAINTEXT, or RSA signature method. Learn about the details required for an HMAC or PLAINTEXT signature, and an RSA signature.

  4. You can optionally set advanced details, but Postman will try to generate values for them if necessary.

Add authorization data

From the Add authorization to dropdown list, select whether you want to pass the auth details in the request headers or body. You can open the Headers or Body tab if you want to check how the details will be included with the request.

If you send the OAuth 1.0 data in the headers, an Authorization header sending your key and secret values is appended to the string OAuth together with additional comma-separated required details. Postman will append the OAuth 1.0 information to the request Headers when you have completed all required fields in your Authorization setup.

If you send the OAuth 1.0 data in the body and URL, the data is added either in the request Body or Parameters depending on the request method.

If the request method is POST or PUT, and if the request body type is x-www-form-urlencoded, Postman will add the authorization parameters to the request body. Otherwise, for example in a GET request, your key and secret data will be passed in the URL query parameters.

Use an HMAC or PLAINTEXT signature

To use an HMAC or PLAINTEXT signature method, enter the following details:

  • Consumer Key - A value used to identify a consumer with the service provider.
  • Consumer Secret - A value used by the consumer to establish ownership of the key.
  • Access Token - A value representing the consumer's permission to access the user's data.
  • Token Secret - A value used by the consumer to establish ownership of a given token.

Use an RSA signature

To use an RSA signature method, enter the following details:

  • Consumer Key - A value used to identify a consumer with the service provider.
  • Access Token - A value representing the consumer's permission to access the user's data.
  • Private Key - A private key to generate the auth signature.

Advanced configuration

The advanced parameters are as follows:

  • Callback URL - URL service provider will redirect to following user authorization. (Required if your server uses OAuth 1.0 Revision A.)
  • Verifier - Verification code from service provider after getting user auth.
  • Time Stamp - The timestamp the server uses to prevent replay attacks outside the time window.
  • Nonce - A random string generated by the client.
  • Version - The version of the OAuth authentication protocol (1.0).
  • Realm - A string specified by the server in the WWW-Authenticate response header.
  • Include body hash - Hash for integrity check with request bodies other than application/x-www-form-urlencoded. (Deactivated when you're using callback URL / verifier.)

If your server implementation of OAuth 1.0 requires it, select Add empty parameters to signature.

You can also select the checkbox to Encode the parameters in the authorization header for your request.

Last modified: 2024/08/16

Additional resources

Videos

Intro to Postman | Authorize a Request
How to Use JWT Authorization
Set Up Authorization for Your Public Apis

Blog posts

Announcing easier API authentication in Postman
OAuth 2.0 just got easier: introducing token refresh and ID token support
New custom parameters for OAuth 2.0 token generation in Postman

Case Studies

Intuit uses Postman's authentication protocols
Postmanaut dancing. Illustration.