REST API Request Authentication

Every request to the API must be authenticated using a digital signing mechanism.  This process involves identifying yourself to the API and then validating your identity by creating a digital signature. The digital signature  uses specific elements from the request along with a shared secret value provided to you upon authentication.  This digital signing mechanism is the standards-based OAuth specification.

Creating the base string

To sign the request, you must create a Signature Base String as defined in section 9.1.  This string is created by concatenating three percent-encoded parameters of the request using an ampersand as the delimiter. The parameters used to form the base string are:

1. The HTTP method of the request (GET, POST, PUT, etc.). This method must be in all uppercase.

2. The scheme, authority and path of the URL Request. The query string and fragment identifier are excluded. The scheme and authority must be in lowercase. The default port 80 must be excluded.

3. Normalize the Request Parameters

Do  the following to normalize the parameters:

1. Gather the GET query parameters, the HTTP POST or PUT request body parameters and, if the Authorization header is used, the OAuth parameters in the Authorization header excluding the realm and oauth_signature

2. Sort the parameters primarily by name and secondarily by value

3. Concatenate the parameters in order and delimit as follows:

a. By name and value with an ‘='character delimiter

b. By pairs with an ‘&' character delimiter

Creating the Signature

Create the signature from the base string using the HMAC-SHA1 as follows:

1. The text is the base string

2. The key is the concatenated values of the two parameters below:

a. The Consumer Secret provided upon creation of the application

b. An empty string ("").