Step 1: Obtaining a request token

In Step 1 of the OAuth document , the initiate url is and we need the following parameters.

This is the URL that the bank api will return to after authentication. This could be http://localhost/, or This must match the User Redirect URL you used when registering your app. Try putting in
[Help me put in]

This is your Consumer_Key from the previous step.
[Help me put in the Consumer_Key from the image in the previous step]

This is any random string. Nonces are non-reusable. The API will reject calls when a nonce was already seen once.
[Help me put in a random GUID]

We will come to this in a minute.

This must be set to either HMAC-SHA1 or HMAC-SHA256
[Help me put in HMAC-SHA1]
[Help me put in HMAC-SHA256]

This is the current Unix Timestamp, you can find the live timestamp from here
[Help me put in the current timestamp]

This is optional, but let's put in 1.0
[Help me put 1.0]

Once you have entered all the fields (except oauth_signature), you can click on the button below to generate the Signature Base String.

Signature Base String =

A few notes about the Base String:
- Format: "METHOD" + "&" + urlencoded(url) + "&" + oauth_parameters
- oauth_parameters: "key1=value1&key2=value2&key3=value3"
- oauth_parameters have to be sorted in ascending key order
- oauth_parameters needs to be urlencoded
- oauth_callback is urlencoded twice
- URL encoding is case-sensitive. e.g. "=" is encoded to "%3D", not "%3d".

With your Base String, we can now create the oauth_signature.
We need the Consumer_Secret we got from the previous step as the encryption key. You should of course never reveal your secret key to anyone, but this is a sandbox and a tutorial.

[Help me put in the Consumer_Secret from the image in the previous step]

With the Base String, and the Consumer_Secret, we can now generate the signature.

The Signature is constructed with a keyed-hash message authentication code (HMAC) of the Base String message, using your Consumer_Secret and "&" as the key. Consult your favourite language's documentation for this support.

Important to note that the key is (Consumer_Secret + "&"), or "hjkisaqi2ai5e1coze1rbzhpfmgq0n5brmelvcno&" in our example.

Signature =

With the Signature, we can now construct the Authorization header string to make the http call.


With the authorization string, you can make the call with tools like Chrome extension Postman .

1) Make sure you have POST as the method
2) Make sure your api endpoint is or the right endpoint appropriate to your BASE-URL in the previous Step.
3) Open the Headers tab of the request
4) Create a new Key-Value pair with "Authorization" as the key,
5) and the value is the whole string in the textbox above.
6) Send!

If nothing went wrong, you should get a reply that looks like

You will have to remember and make note of this set of oauth_token and oauth_token_secret. We will need them for the next couple of steps.

You've successfully completed Step 1.

Go to Step 2

[See example code in C# for this step]