MySpace Developer Platform

A Place For Developers

Welcome Developers!

Welcome!

Data Availability

What is Data Availability?

MySpace's Data Availability (DA) project provides developers with the opportunity to leverage MySpace’s social platform outside of MySpace. This provides value to MySpace members by making their identity accessible across the social web in an open, standards-based approach that enables robust member controls over privacy and access. As a developer, DA allows MySpace members to link their MySpace account with a developer's site to make the following information available through MySpace's implementation of both the OpenSocial REST APIs and MySpace's own REST APIs for enhanced capabilities:
  1. Profile Information
  2. Pieces of Media
  3. Social Graph (Public Connections Between People)
All of this functionality utilizes the OAuth protocol to provide delegated authentication.

MySpace and OAuth

MySpace supports the OAuth standard specification for access delegation (http://oauth.net/core/1.0/) and HTTP Request signing. Access delegation allows external sites to obtain permission to access a member’s data by delegating permission granting to a MySpace authorization page and obtaining an Access Token that is then used in HTTP Requests to the MySpace REST API for the members’ data. Digital signing of requests allows MySpace to authenticate the consumer of the MySpace API. OAuth standardizes the steps involved in delegating app authorization, the name of the parameters and the algorithm used to generate the base string used to create the digital signature. The developer must obtain a key pair from MySpace in order to make requests to the API. The first key, the oauth_consumer_key, is used to identify the partner. The second key is the shared secret used to generate the digital signatures using HMAC-SHA1. The shared secret should not be revealed in any way either in HTTP requests or code visible to members or 3rd parties including JavaScript code.

Learn > OAuth Tool Quick Reference Guide

Test > OAuth Tool

Setting Up Your Application

In order to obtain a key pair to be used for the MySpace API, developers must set up a new application on the MySpace Developer Platform site (under MyApps > Create New App) or use an existing internal application. To use the Session Based Authentication required for access to the API from an external site, developers must define 2 key fields when building or editing their MySpace applications:

  • External App Domain - This field is validated against the oauth_callback parameter supplied in the Access Delegation workflow described below. It must be the same domain as the URL value of the parameter.
  • External App URL - This is the URL used to direct members and our review team to your external application.
To set these values:
  1. Click on MyApps.
  2. Click the Edit Details link.
  3. Scroll down to External Site settings and select the Use External Domain checkbox:
    4. External Site Settings
  4. Selecting the Use External Domain checkbox reveals the External URL and External Domain fields described above.
    External Site Settings URL
  5. Enter the External URL and External Domain.
  6. Click the Save button.

Access Delegation

The Access Delegation workflow is the process by which the External Site can obtain a token to use in requests to the MySpace API for a particular member. The workflow involves three steps:

  1. Obtaining an Unauthorized Request Token
  2. Obtaining User Authorization
  3. Obtaining an Access Token

NOTE: The details of this workflow are outlined at the following website: http://oauth.net/core/1.0/#anchor9.

Request Token

Request a token by accessing the following URI: http://api.myspace.com/request_token. This request must be digitally signed using the Consumer Key and Shared Secret obtained by creating an application on MySpace as outlined above.

User Authorization

Once the developer obtains a Unauthorized Request Token, they must access the following URI in order to authorize 3rd access to their data: http://api.myspace.com/authorize

User Auth

Upon agreement, developers must provide their MySpace credentials and click the Yes, Link this Account button to be sent back to the oauth_callback url provided by the developer in the request to the Member Authorization page.

Photobucket

Access Token

Once authorized, the External Site may exchange the Authorized Request Token for a session based Access Token at the following URI: http://api.myspace.com/access_token

The request to this URI must be digitally signed as outlined below. Obtaining an Access Token is similar to the step outlined in the OAuth spec here: http://oauth.net/core/1.0/#auth_step3.

The body of the HTTP Response will then include the Access Token and possibly a token secret in the form of: oauth_token=nnch734d00sl2jdk&oauth_token_secret=hdhd0244k9j7ao03

These values, including the oauth_token_secret (if it is a zero length string), can then be used to make requests to the MySpace REST API in order to obtain the current logged in member’s data.

Signing Requests

The details of signing requests can be read in the oauth spec here:
http://oauth.net/core/1.0/#signing_process.

Signing requests involve the following steps:
  1. Generate a base string from elements of the request (including the oauth_* parameters). The details of generating the base string can be found in Section 9.1 of the OAuth spec: http://oauth.net/core/1.0/#anchor14.
  2. Use this base string and the partner shared secret in the HMAC-SHA1 one way hashing algorithm, to generate the signature. NOTE: OAuth does not mandate a specific signature algorithm, but HMAC-SHA1 must be used for requests to the MySpace REST API. The key used in the HMAC-SHA1 algorithm is a concatenation of the partner shared secret and a token secret delimited by an ampersand (&). The token secret is sometimes supplied in the body of the request for the Access Token, but if it is not, the value in the key must be an empty string. In this case the HMAC-SHA1 key will simply be the partner shared secret followed by a trailing ampersand.
  3. Include the oauth_* parameters in the request in either the Authorization header or as query parameters. This is outlined in the OAuth spec here: http://oauth.net/core/1.0/#auth_header. The MySpace Developer Platform site has a tool that can be used to generate sample OAuth signed requests here: http://developer.myspace.com/modules/apis/pages/oauthtool.aspx.

Resources

The MySpace Developer Platform site has a tool that can be used to generate sample OAuth signed requests here:
http://developer.myspace.com/modules/apis/pages/oauthtool.aspx.

For more information about OAuth:
http://developer.myspace.com/community/myspace/oauthintro.aspx

A table listing of available Data Availability REST Resources and other DA information can be found here:
http://developer.myspace.com/community/myspace/da.aspx


About | FAQ | Terms | Privacy | Safety Tips | Contact MySpace | Advertise | MySpace International | MySpace Latino
©2003-2008 MySpace.com. All Rights Reserved.