Apicat Docs
  1. Authentication and authorization
Apicat Docs
  • What is Apicat?
  • Send requests
    • Create requests
      • Request basics
      • Parameters and body
      • Request headers
      • Request settings
      • Dynamic values
      • HTTP/2
      • SOAP/WebService
    • Authentication and authorization
      • Overview
      • CA and client certificates
      • Authorization types supported by Apidog
      • Digest Auth
      • OAuth 1.0
      • OAuth 2.0
      • Hawk Authentication
      • Kerberos
      • NTLM
      • Akamai EdgeGrid
    • Response and cookies
      • Overview
      • API response in Apidog
      • Create and send cookies
      • Debug requests
    • Dynamic values Modules
      • Airline
      • Animal
      • Color
      • Commerce
      • Company
      • Database
      • Datatype
      • Date
      • Finance
      • Food
      • Git
      • Hacker
      • Helpers
      • Image
      • Internet
      • Location
      • Lorem
      • Music
      • Number
      • Person
      • Phone
      • Science
      • String
      • System
      • Vehicle
      • Word
  • Environments & variables
    • Overview
    • Using variables
    • Environments & services
  • Pre/Post processors
    • Overview
    • Assertion
    • Extract variable
    • Wait
    • Database operations
      • Overview
      • MySQL
      • MongoDB
      • Redis
      • Oracle Client
    • Using scripts
      • Overview
      • Pre processor scripts
      • Post processor scripts
      • Public scripts
      • Postman scripts reference
      • Calling other programming languages
      • Using JS libraries
      • Visualizing responses
      • Script examples
        • Assertion scripts
        • Using variables in scripts
        • Using scripts to modify request messages
        • Other examples
  • Best practices
    • How to handle API signatures
    • How to access OAuth 2.0 protected APIs
    • Apidog collaboration workflow
    • Managing authentication state in Apidog
  • Account & preferences
    • Account settings
    • Generate OpenAPI access token
    • Language settings
    • Hot keys
    • Network proxy configuration
    • Data backup
    • Updating Apidog
    • Deleting account
    • Experimental Features
  • References
    • API-Design First Approach
    • Apidog OpenAPI/Swagger Specificaiton Extensions
    • JSONPath
    • XPath
    • Regular Expressions
    • JSON Schema
    • CSV File Format
    • Install Java Environment
    • Runner deployment environment
    • Apidog flavored Markdown
  1. Authentication and authorization

OAuth 1.0

OAuth 1.0 is an authorization mechanism based on the OAuth protocol, which allows third-party applications to access protected resources. For example, as a user of Product A, you can directly log in to the system of Platform B using your account on Product A, without exposing your username and password on Platform A.
OAuth 1.0 also uses a signature (Signature) to verify the integrity and authenticity of the request, as well as a timestamp (Timestamp) and a nonce (Nonce) to prevent replay attacks. Additionally, in OAuth 1.0, tokens and keys are only known to authorized applications and service providers.

Basic Setup#

On the "Auth" page, select "OAuth 1.0" as the authorization method, and fill in the following information:
Add Location
Supports Request Body/Request URL and Request Header, you can choose the request body or request header.
Signature Method
The signature method, supporting HMAC-SHA1, HMAC-SHA256, HMAC-SHA512, RSA-SHA1, RSA-SHA256, RSA-SHA512, PLAINTEXT algorithms.
Consumer Key
A unique identifier assigned by the service provider to the application.
Consumer Secret
A secret key assigned by the platform to the application.
Access Token
The access token is a token issued by the service provider after the user authorizes the application, which is used to access the user's protected resources. It allows the application to perform limited operations on behalf of the user without requiring the user to provide their username and password.
Token Secret
The token secret is a secret string associated with the access token. Similar to the consumer secret key, it is used to create the signature during the OAuth 1.0 handshake to ensure the integrity and security of the request.

Advanced Settings#

You can click the "Advanced" option to add more encryption settings. If left blank, they will be automatically generated.
Callback URL
The callback URL is the last step in the OAuth 1.0 authorization flow, which is the URL the user is redirected to by the service provider after authorizing the third-party application.
Verifier
The verifier is an intermediate step in the OAuth 1.0 authorization flow, which is a random string generated by the service provider to verify whether the user has authorized the third-party application to access their resources.
Timestamp
The timestamp is a parameter in the OAuth 1.0 request, which is used to prevent replay attacks. It is a Unix timestamp representing the time the request was initiated.
Nonce
The nonce is a parameter in the OAuth 1.0 request, which is used to prevent replay attacks. It is a random string used to uniquely identify a request.
Version
By default, no change is needed.
Realm
Used to identify the security domain or scope to which the protected resource belongs.
In addition to the above options, you can also choose whether to enable the Include body hash and Add empty parameters to signature options.
Modified at 2025-06-25 07:57:16
Previous
Digest Auth
Next
OAuth 2.0
Built with