Chapter 6. Signing Requests to Yahoo

In this Chapter:

You must sign all requests to Yahoo Web services, including those to OAuth calls such as get_token (OAuth Core 1.0 Spec, Section 9) using the oauth_signature parameter. You can use either the HMAC-SHA1 or PLAINTEXT method.

Signing Requests using HMAC-SHA1

Take the relevant request header and create a base string from it. For example, the following is a request URL and header for getting a Request Token:



If you normalize the request, the resulting base string looks like the following:

Use the normalized base string as "text" sign it using the concatenated Consumer Secret and Token Secret separated by an "&" character. For more information, refer to OAuth Core 1.0 Spec, Section 9.2.


For requests to get_request_token, the Token Secret is absent. Include only the Consumer Secret followed by an "&" character.

Table of Contents