Step 4 : Accessing protected resources (GET)



In Step 4 of the OAuth document , we can start consuming OBP API endpoints, with and without authentication. Refer to The REST API documentation for endpoints and services

We will do an authenticated GET example here. (GET URL: /accounts/private)


This is your access_token from the previous step. (This is the access_token from Step 3, and NOT the oauth_token from Step 1 and Step 2. The key is still called oauth_token though.)


This is your Consumer_Key from the step 1.
[Help me put in the Consumer_Key from the image in step 1]


This is any random string. Nonces are non-reusable. The API will reject calls when a nonce was already seen once.
[Help me put in a random GUID]


We will come to this in a minute.


This must be set to either HMAC-SHA1 or HMAC-SHA256
[Help me put in HMAC-SHA1]
[Help me put in HMAC-SHA256]


This is the current Unix Timestamp, you can find the live timestamp from here
[Help me put in the current timestamp]


This is optional, but let's put in 1.0
[Help me put 1.0]


Once you have entered all the fields (except oauth_signature), you can click on the button below to generate the Signature Base String.


Signature Base String =

A few notes about the Base String:
- Note the prefix of "/obp/v1.2.1" in the uri endpoint
- Format: "METHOD" + "&" + urlencoded(url) + "&" + oauth_parameters
- oauth_parameters: "key1=value1&key2=value2&key3=value3"
- oauth_parameters have to be sorted in ascending key order
- oauth_parameters needs to be urlencoded
- URL encoding is case-sensitive. "=" is encoded to "%3D", not "%3d".

With your Base String, we can now create the oauth_signature.
We need the Consumer_Secret we got from the step 1 AND also the access_token_secret in the previous step as the encryption key. You should of course never reveal your secret keys to anyone, but this is a sandbox and a tutorial.

[Help me put in the Consumer_Secret from the image in the previous step]


This is the access_token_secret we got at the end of the previous step.

With the Base String, and the Consumer_Secret and access_token_secret, we can now generate the signature.

The Signature is constructed with a keyed-hash message authentication code (HMAC) of the Base String message, using your Consumer_Secret and "&" and oauth_token_secret as the key. Consult your favourite language's documentation for this support.

Important to note that the key is (Consumer_Secret + "&" + access_token_secret), or "hjkisaqi2ai5e1coze1rbzhpfmgq0n5brmelvcno&rk2qfjwjqtsborpugeicigypcclbz3hurf3af2rg" as an example.


Signature =


With the Signature, we can now construct the Authorization header string to make the http call.


Authorization String =


With the authorization string, you can make the call with tools like Fiddler or Chrome extension Postman .

1) Make sure you are Composing a request
2) Make sure you have GET as the method
3) Make sure your api endpoint is https://apisandbox.openbankproject.com/obp/v1.2.1/accounts/private or the right point appropriate to your BASE-URL in the previous Steps. Note especially the addition of "/obp/v1.2.1" in the url.
4) Copy and paste the Authorization String into the header.
5) Execute!


If nothing went wrong, you should get a reply that's a big JSON array object. If you've created any test accounts with the "Create Sandbox Test Account" functionality in the Prelude step, you should be seeing them here.

You've successfully completed an authenticated GET call!

Go to Step 5



[See example code in C# for this step] [php example code coming soon]