Step 3: Converting the request token to an access token

In Step 3 of the OAuth document , we need the following parameters.

This is your oauth_verifier from the previous step.

This is your oauth_token from the previous 2 steps.

This is your Consumer_Key from the step 1.
[Help me put in the Consumer_Key from the image in step 1]

This is any random string. Nonces are non-reusable. The API will reject calls when a nonce was already seen once.
[Help me put in a random GUID]

We will come to this in a minute.

This must be set to either HMAC-SHA1 or HMAC-SHA256
[Help me put in HMAC-SHA1]
[Help me put in HMAC-SHA256]

This is the current Unix Timestamp, you can find the live timestamp from here
[Help me put in the current timestamp]

This is optional, but let's put in 1.0
[Help me put 1.0]

Once you have entered all the fields (except oauth_signature), you can click on the button below to generate the Signature Base String.

Signature Base String =

A few notes about the Base String:
- Format: "METHOD" + "&" + urlencoded(url) + "&" + oauth_parameters
- oauth_parameters: "key1=value1&key2=value2&key3=value3"
- oauth_parameters have to be sorted in ascending key order
- oauth_parameters needs to be urlencoded
- URL encoding is case-sensitive. "=" is encoded to "%3D", not "%3d".

With your Base String, we can now create the oauth_signature.
We need the Consumer_Secret we got from the Prelude AND also the oauth_token_secret in the previous step as the encryption key. You should of course never reveal your secret keys to anyone, but this is a sandbox and a tutorial.

[Help me put in the Consumer_Secret from the image in the Prelude]

This is the oauth_token_secret we got at the end of Step 1.

With the Base String, and the Consumer_Secret and oauth_token_secret, we can now generate the signature.

The Signature is constructed with a keyed-hash message authentication code (HMAC) of the Base String message, using your Consumer_Secret and "&" and oauth_token_secret as the key. Consult your favourite language's documentation for this support.

Important to note that the key is (Consumer_Secret + "&" + oauth_token_secret), or "hjkisaqi2ai5e1coze1rbzhpfmgq0n5brmelvcno&rk2qfjwjqtsborpugeicigypcclbz3hurf3af2rg" as an example.

Signature =

With the Signature, we can now construct the Authorization header string to make the http call.

Authorization String =

With the authorization string, you can make the call with tools like Fiddler or Chrome extension Postman .

1) Make sure you have POST as the method
2) Make sure your api endpoint is or the right point appropriate to your BASE-URL in the previous Step.
3) Open the Headers tab of the request
4) Create a new Key-Value pair with "Authorization" as the key,
5) and the value is the whole string in the textbox above.
6) Send!

If nothing went wrong, you should get a reply that looks like

You will have to remember and make note of this new access_token and access_token_secret. We will need them for the next step.

You've successfully completed Step 3.

Go to Step 4

[See example code in C# for this step] [php example code coming soon]