To ensure API requests cannot be modified by an attacker on the way to the server, a client application can add a digital signature to the request.

Using OAuth, signatures are created by calculating a hash of the unsigned request, the consumer secret corresponding to the consumer key and the token secret for the OAuth token used in the request. Since the consumer secret is never transmitted over the network, even an attacker who can intercept the entire communication cannot forge a request.

For security reasons, we strongly recommend using a standard implementation of the OAuth protocol to sign your application's requests.

Please refer to the OAuth specification for more details on how to create a request signature.

  • No labels