Step 3: Converting the request token to an access token



In Step 3 of the OAuth document , we need the following parameters.


This is your oauth_verifier from the previous step.


This is your oauth_token from the previous 2 steps.


This is your Consumer_Key from the step 1.
[Help me put in the Consumer_Key from the image in step 1]


This is any random string. Nonces are non-reusable. The API will reject calls when a nonce was already seen once.
[Help me put in a random GUID]


We will come to this in a minute.


This must be set to either HMAC-SHA1 or HMAC-SHA256
[Help me put in HMAC-SHA1]
[Help me put in HMAC-SHA256]


This is the current Unix Timestamp, you can find the live timestamp from here
[Help me put in the current timestamp]


This is optional, but let's put in 1.0
[Help me put 1.0]


Once you have entered all the fields (except oauth_signature), you can click on the button below to generate the Signature Base String.


Signature Base String =

A few notes about the Base String:
- Format: "METHOD" + "&" + urlencoded(url) + "&" + oauth_parameters
- oauth_parameters: "key1=value1&key2=value2&key3=value3"
- oauth_parameters have to be sorted in ascending key order
- oauth_parameters needs to be urlencoded
- URL encoding is case-sensitive. "=" is encoded to "%3D", not "%3d".

With your Base String, we can now create the oauth_signature.
We need the Consumer_Secret we got from the Prelude AND also the oauth_token_secret in the previous step as the encryption key. You should of course never reveal your secret keys to anyone, but this is a sandbox and a tutorial.

[Help me put in the Consumer_Secret from the image in the Prelude]


This is the oauth_token_secret we got at the end of Step 1.

With the Base String, and the Consumer_Secret and oauth_token_secret, we can now generate the signature.

The Signature is constructed with a keyed-hash message authentication code (HMAC) of the Base String message, using your Consumer_Secret and "&" and oauth_token_secret as the key. Consult your favourite language's documentation for this support.

Important to note that the key is (Consumer_Secret + "&" + oauth_token_secret), or "hjkisaqi2ai5e1coze1rbzhpfmgq0n5brmelvcno&rk2qfjwjqtsborpugeicigypcclbz3hurf3af2rg" as an example.


Signature =


With the Signature, we can now construct the Authorization header string to make the http call.


Authorization String =


With the authorization string, you can make the call with tools like Fiddler or Chrome extension Postman .

1) Make sure you have POST as the method
2) Make sure your api endpoint is https://apisandbox.openbankproject.com/oauth/token or the right point appropriate to your BASE-URL in the previous Step.
3) Open the Headers tab of the request
4) Create a new Key-Value pair with "Authorization" as the key,
5) and the value is the whole string in the textbox above.
6) Send!

If nothing went wrong, you should get a reply that looks like
"oauth_token=DIUCDD2LZX5Z3QGA4AG1FPMSEXSB2L1MK32JWRGD&oauth_token_secret=KDBM4MKTA1TNP11EZH11VBHYDNCM01VHTF5WCT31".

You will have to remember and make note of this new access_token and access_token_secret. We will need them for the next step.

You've successfully completed Step 3.

Go to Step 4



[See example code in C# for this step] [php example code coming soon]