Exchange PART for OAuth Credentials API

Exchange PART for OAuth Credentials API Address

As defined in Section 5.2 of the OAuth 1.0a spec, all input parameters can be submitted via HTTP GET, or HTTP POST with a content-type of application/x-www-form-urlencoded, or using the Authorization Header as explained in Section 5.4 in the OAuth Core 1.0 document. For Messenger clients, a correct timestamp may not be available in certain platforms especially mobile. In those cases, we recommend using the PLAINTEXT method of signature calculation so that value of timestamp parameter is ignored.

Please check the OAuth specification for details on signature calculation. This document assumes familiarity with the OAuth specification and skims some OAuth details.

Exchange PART for OAuth Credentials API Input Parameters

Request Parameter Type and Length Description
oauth_consumer_key string (256 chars) The consumer key that will be validated
oauth_signature_method string (32 chars) PLAINTEXT or HMAC-SHA1 (PLAINTEXT is preferred)
oauth_nonce string (256 chars) A random value
oauth_timestamp string (40 chars) A Unix timestamp, expressed as "seconds from epoch." Note that if your system typically returns a timestamp as milliseconds from epoch, you should divide the number by 1000.
oauth_signature string (120 chars) For the PLAINTEXT signature method, this is the consumer secret with an ampersand '&' concatenated to the end. (See note below on URL encoding the ampersand.) For the HMAC-SHA1 signature method, this is the actual signature.
oauth_verifier N/A None
oauth_version string (20 chars) 1.0
oauth_token string (256 chars) The Pre Approved Request Token (PART) obtained from Pre Approved Request Token (PART) API

Exchange PART for OAuth Credentials API Response

The Response format is specified in Section 5.3 of the OAuth 1.0a spec.

Response Parameter Description
oauth_token The access token
oauth_token_secret OAuth access token secret
oauth_session_handle The persistent credential
oauth_expires_in Lifetime of the access token in seconds.
oauth_authorization_expires_in Lifetime of the oauth_session_handle in seconds


In case of the PLAINTEXT signature method being used, the oauth_signature should be your consumer secret concatenated with an ampersand '&', which will then be URL encoded. For example, the oauth_signature sent should look like 'oauth_signature=5b39ec891e64d8dbbfab96dc137da73e%26'. Please check the OAuth specification for details.

Table of Contents