and then how to put this request parameters string into the base string.
However, both steps state that values should be URL encoded: 1) When building the request parameters string, concatenating them with ampersands, it says "Note: each <value> must be url encoded." 2) When building the full base string, it says "Note: the <api url> and the <request parameters> must be url encoded."
This is misleading, because it suggests that the values for the parameters in the request parameters string (eg the value for oauth_consumer_key) should be URL encoded first, then concatenated with ampersands, and then this entire string be URL encoded again, which will result in an invalid signature (which left me stumped for a considerable amount of time).
Perhaps this could be cleared up in the example, perhaps suggesting that the full request parameters string is built up first, then the whole thing is URL encoded, or just by concatenating the parameters with %26 instead of &.