Using OAuth for Messenger API

Please note the following recommendations when using OAuth authentication with Yahoo Messenger.

  1. For Messenger clients, a correct timestamp may not be available in certain platforms especially mobile. In those cases, we recommend using the PLAINTEXT method of signature calculation so that value of timestamp parameter is ignored.
  2. OAuth credentials should be passed either via query parameters or via an HTTP Authorization header. Credentials in the POST body are not supported.

The OAuth credentials that must be passed into a Yahoo Messenger IM API request are as follows:

realm

This is a constant string "yahooapis.com".

oauth_consumer_key

This is the API key (OAuth Consumer Key) that was generated by developer.yahoo.com.

oauth_nonce

This is a cryptographic nonce, a random number of your choosing. Once used, the number should not be used again.

oauth_signature_method

The signature method used to cryptographically sign API requests, such as "PLAINTEXT" or "HMAC-SHA1".

oauth_timestamp

This is an integer timestamp, represented as the number of seconds since the epoch. Note that if your system presents its timestamps as milliseconds since epoch, you should divide that number by 1000.

oauth_token

This is the token that was returned by the previous PART exchange API call.

oauth_version

This is the constant string "1.0".

oauth_signature

The Consumer Secret that was issued to the application. If you are using the PLAINTEXT signature method, concatenate %26 at the end of the Consumer Secret, and then concatenate oauth_token_secret from the previous call. For more information about signing requests, refer to Signing Requests at Yahoo!

Table of Contents