Authorization: OAuth 1.0

This is not intended to be a detailed explanation of OAuth or how it works, rather some details on our implementation and how to use it. If you would like details then this website explains it very clearly:

Every request to the API needs to be authenticated; at the request level this is achieved by passing a specially signed string value in the Authorization header.

The header itself is constructed from the following parts:

  • oauth_version = 1.0 (don't change)
  • oauth_consumer_key = the consumer key issued to you (by us) - be very careful not to confuse this with your consumer_secret!
  • oauth_signature_method = HMAC-SHA1 (don't change)
  • oauth_timestamp = formatted as the number of seconds since 1970-01-01
  • oauth_nonce = 10 digit random (non-repeating) alpha-numeric string (What is a 'nonce')
  • oauth_signature = the result of hashing the encoded oauth parameters, url and http method using the HMAC-SHA1 algorithm

You will also need the full target url of the request and the http verb in order to correctly generate the signture.

What you produce should look similar to this:

OAuth oauth_version="1.0",oauth_consumer_key="OAvew7ftRkmdiKOulaqS8B",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1375828061",oauth_nonce="621DNqaO3E",oauth_signature="ZAKgdrxLeGqpCYvRbP4iEVt0ZSo%3D"

User Based Permissions

User Based Permissions Now Available
We have added support for OAuth 2.0 user based authentication including advanced user resource access permission management options!

Check out: User Permissions for more information.

C# developers - you are in luck!

Included as part of the C# SDK is a helper library "PayRunIO.OAuth1" that given the basic information will help generate you a valid authorization header.

var consumerKey = "12345";
var consumerSecret = "67890";
var timestamp = TimeStampHelper.ConvertToTimeStamp(DateTime.Now);
var nonce = Nonce.New();

var generator = new OAuthSignatureGenerator();

var signature = generator.GenerateSignature(

var header = generator.BuildAuthHeader(consumerKey, timestamp, nonce, signature);

Javascript developers - you're equally in luck

For backend or frontend javascript you can use the oauth-1.0a package to generate your oauth header. Follow the steps below:

  1. Install the required npm packages oauth-1.0a and crypto.
npm i -S oauth-1.0a crypto

This is shorthand for npm install oauth-1.0a crypto --save.

  1. Use the packages to generate your oauth token and request header.
	const OAuth = require("oauth-1.0a");
	const Crypto  = require("crypto");

	let oauth = OAuth({
		consumer: {
			key: "12345",
			secret: "67890"
		signature_method: "HMAC-SHA1",
		hash_function(base_string, key) {
			return Crypto.createHmac("sha1", key).update(base_string).digest("base64");

	let request_data = {
		url: url, // the url of the request
		method: method // for example "POST" or "GET"

	oauth.authorize(request_data); // generate the Authorization header
  1. Use the oauth header in your request with oauth.toHeader(oauth.authorize(request_data)).

For further documentation refer to the oauth-1.0a package readme.

Manually Create Authorization header using Postman

Postman provides a useful way of exploring the capabilities of RESTful APIs; in particular it makes it easy to generate the required "authorization" header. In our case this is an implementation of OAuth 1.0 (one legged).

Step 1: Create a new request and select the Authorization tab; select OAuth 1.0 from the type dropdown alt text

Step 2: Complete form fields:

  • Consumer Key: {your application's consumer key}
  • Consumer Secret:{your application's consumer secret}
  • Signature Method: HMAC-SHA1

Note: Timestamp and Nonce values are required but Postman will automatically populate these if they are blank. Token, Token Secret and Realm are not required and should always be left blank. alt text

Step 3: Ensure "Add params to header" is ticked and click "Update Request" If you then look at the Headers tab you should see the "Authorization" header has been added and populated with the OAuth details for the request. alt text