Authorization: OAuth 1.0

This is not intended to be a detailed explanation of OAuth or how it works, rather some details on our implementation and how to use it. If you would like details then this website explains it very clearly: http://oauthbible.com/#oauth-10a-one-legged

Every request to the payrun.io API needs to be authenticated; at the request level this is achieved by passing a specially signed string value in the Authorization header.

The header itself is contructed from the following parts:

  • oauth_version = 1.0 (don't change)
  • oauth_consumer_key = the consumer key issued to you (by us) - be very careful not to confuse this with your consumer_secret!
  • oauth_signature_method = HMAC-SHA1 (don't change)
  • oauth_timestamp = formatted as the number of seconds since 1970-01-01
  • oauth_nonce = 10 digit random (non-repeating) alpha-numeric string (What is a 'nonce')
  • oauth_signature = the result of hashing the encoded oauth parameters, url and http method using the HMAC-SHA1 algorithm

You will also need the full target url of the request and the http verb in order to correctly generate the signture.

What you produce should look similar to this:

OAuth oauth_version="1.0",oauth_consumer_key="OAvew7ftRkmdiKOulaqS8B",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1375828061",oauth_nonce="621DNqaO3E",oauth_signature="ZAKgdrxLeGqpCYvRbP4iEVt0ZSo%3D"

C# developers - you are in luck!

Included as part of the C# SDK is a helper library "PayRunIO.OAuth1" that given the basic information will help generate you a valid authorization header.

var consumerKey = "12345";
var consumerSecret = "67890";
var timestamp = TimeStampHelper.ConvertToTimeStamp(DateTime.Now);
var nonce = Nonce.New();

var generator = new OAuthSignatureGenerator();

var signature = generator.GenerateSignature(
	consumerKey,
	consumerSecret,
	timestamp,
	nonce,
	"https://api.test.payrun.io/employer/ER001/employees",
	"GET");

var header = generator.BuildAuthHeader(consumerKey, timestamp, nonce, signature);

Manually Create Authorization header using Postman

Postman provides a useful way of exploring the capabilities of RESTful APIs; in particular it makes it easy to generate the required "authorization" header. In our case this is an implementation of OAuth 1.0 (one legged).

Step 1: Create a new request and select the Authorization tab; select OAuth 1.0 from the type dropdown alt text

Step 2: Complete form fields:

  • Consumer Key: {your application's consumer key}
  • Consumer Secret:{your application's consumer secret}
  • Signature Method: HMAC-SHA1

Note: Timestamp and Nonce values are required but Postman will automatically populate these if they are blank. Token, Token Secret and Realm are not required and should always be left blank. alt text

Step 3: Ensure "Add params to header" is ticked and click "Update Request" If you then look at the Headers tab you should see the "Authorization" header has been added and populated with the OAuth details for the request. alt text