Step 1: Obtaining a request token



In Step 1 of the OAuth document , the initiate url is https://apisandbox.openbankproject.com/oauth/initiate and we need the following parameters.


This is the URL that the bank api will return to after authentication. This could be http://localhost/, or http://yoursite.yourhost.com/. This must match the User Redirect URL you used when registering your app. Try putting in http://127.0.0.1
[Help me put in http://127.0.0.1]


This is your Consumer_Key from the previous step.
[Help me put in the Consumer_Key from the image in the previous step]


This is any random string. Nonces are non-reusable. The API will reject calls when a nonce was already seen once.
[Help me put in a random GUID]


We will come to this in a minute.


This must be set to either HMAC-SHA1 or HMAC-SHA256
[Help me put in HMAC-SHA1]
[Help me put in HMAC-SHA256]


This is the current Unix Timestamp, you can find the live timestamp from here
[Help me put in the current timestamp]


This is optional, but let's put in 1.0
[Help me put 1.0]


Once you have entered all the fields (except oauth_signature), you can click on the button below to generate the Signature Base String.


Signature Base String =

A few notes about the Base String:
- Format: "METHOD" + "&" + urlencoded(url) + "&" + oauth_parameters
- oauth_parameters: "key1=value1&key2=value2&key3=value3"
- oauth_parameters have to be sorted in ascending key order
- oauth_parameters needs to be urlencoded
- oauth_callback is urlencoded twice
- URL encoding is case-sensitive. e.g. "=" is encoded to "%3D", not "%3d".

With your Base String, we can now create the oauth_signature.
We need the Consumer_Secret we got from the previous step as the encryption key. You should of course never reveal your secret key to anyone, but this is a sandbox and a tutorial.

[Help me put in the Consumer_Secret from the image in the previous step]

With the Base String, and the Consumer_Secret, we can now generate the signature.

The Signature is constructed with a keyed-hash message authentication code (HMAC) of the Base String message, using your Consumer_Secret and "&" as the key. Consult your favourite language's documentation for this support.

Important to note that the key is (Consumer_Secret + "&"), or "hjkisaqi2ai5e1coze1rbzhpfmgq0n5brmelvcno&" in our example.


Signature =


With the Signature, we can now construct the Authorization header string to make the http call.


Authorization:


With the authorization string, you can make the call with tools like Chrome extension Postman .

1) Make sure you have POST as the method
2) Make sure your api endpoint is https://apisandbox.openbankproject.com/oauth/initiate or the right endpoint appropriate to your BASE-URL in the previous Step.
3) Open the Headers tab of the request
4) Create a new Key-Value pair with "Authorization" as the key,
5) and the value is the whole string in the textbox above.
6) Send!


If nothing went wrong, you should get a reply that looks like
"oauth_token=DIUCDD2LZX5Z3QGA4AG1FPMSEXSB2L1MK32JWRGD&oauth_token_secret=KDBM4MKTA1TNP11EZH11VBHYDNCM01VHTF5WCT31&oauth_callback_confirmed=true".

You will have to remember and make note of this set of oauth_token and oauth_token_secret. We will need them for the next couple of steps.

You've successfully completed Step 1.

Go to Step 2



[See example code in C# for this step]