3/6/2017 - 6:36 PM

Twitter API

Twitter API

Formula: Hash(SignatureBaseString, SigninKey)

Hash function:

Generate SignatureBaseString:

  1. Convert the HTTP Method to uppercase and set the output string equal to this value. e.g. POST
  2. Append & e.g. POST&
  3. Percent encode the URL and append it to the output string. URL should not include query string or hash parameters. e.g. POST&
  4. Step 2 again e.g. POST&
  5. Percent encode the parameter string and append it to the output string.

Generate Parameter String:

Let's say:

status: Hello Ladies + Gentlemen, a signed OAuth request!
include_entities:   true
oauth_consumer_key: xvz1evFS4wEEPTGEFPHBog
oauth_nonce:    kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg
oauth_signature_method: HMAC-SHA1
oauth_timestamp:    1318622958
oauth_token:    370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb
oauth_version:  1.0
  1. Percent encode every key and value that will be signed.
  2. Sort the list of parameters alphabetically
  3. For each key/value pair
  4. Append the encoded key to the output string
  5. Append the ‘=’ character to the output string
  6. Append the encoded value to the output string
  7. If there are more key/value pairs remaining, append a ‘&’ character to the output string

Example Parameter String:


Example Signature Base String:


Generate Sign In Key

Simply: Percent Encoded Consumer Secret + & + Percent Encoded Token Secret

Assume Consumer Secret is kAcSOqF21Fu85e7zjz7ZN2U4ZRhfV3WpwPAoE3Z7kBw Token Secret is LswwdoUaIvS8ltyTt5jkRh4J50vUPVVHtR2YPi5kE

Example Sign In Key: kAcSOqF21Fu85e7zjz7ZN2U4ZRhfV3WpwPAoE3Z7kBw&LswwdoUaIvS8ltyTt5jkRh4J50vUPVVHtR2YPi5kE

Finally, hashed signature is:




Application Key. Get Here


  • Base64 encoding 32 bytes of random data
  • e.g. Guid.NewGuid().ToString("N") in C#


Always HMAC-SHA1


A value which is generated by running all of the other request parameters and two secret values through a signing algorithm.


Indicates when the request was created. Twitter will reject requests which were created too far in the past, so it is important to keep the clock of the computer generating requests in sync with NTP.


Represents a user’s permission to share access to their account with your application.


Always 1.0

All the values should be percent encoded before attaching them to Authorization header

e.g. in C#: Uri.EscapeDataString("The value");

Example Authorization Header should be like this:

OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg", oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1318622958", oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb", oauth_version="1.0"