OAuth 1

This page is in development.


OAuth 1.0 involves the use of cryptographic signatures for message integrity and verification. It requires the consumer (in this case, Patchworks) to sign API requests using a consumer secret, which is provided by the service provider. The service provider verifies these signatures to ensure the integrity of the requests.

Patchworks supports the following signature methods:

  • HMAC-SHA256

OAuth 1.0 has been largely superseded by OAuth 2.0.

How it works

Here's how OAuth 1 authentication works:


Consumer registration

Resource owner/user

The Patchworks customer completes the consumer registration process with the third-party application service provider. During registration, the consumer obtains a unique consumer key and consumer secret.


User initiation

Resource owner/user

The user initiates the authorisation process by clicking on a login or authorisation button in the client application - in this case, when adding a Patchworks connector instance.


Token request


A request is sent to the service provider's token endpoint. This request includes a signature (generated by Patchworks), the consumer key, and a callback URL (where the user will be redirected after authentication).


User authentication

Service provider/ authorisation server

The service provider validates the request and authenticates the user. If the user is not already logged in, they are prompted to enter their credentials on the service provider's website.


Request token issued

Service provider/ authorisation server

After successful authentication, the service provider issues a request token, confirming approved access for Patchworks to access the user's resources.


User authorisation

Resource owner/user

The user is presented with a permission prompt by the service provider. The prompt explains what access the consumer is requesting and asks the user to grant or deny permission.


Redirect to consumer

Service provider/ authorisation server

When the user grants permission, the service provider redirects the user back to the Patchworks callback URL, together with the request token and additional parameters.


Access token request


Patchworks receives the request token and sends a request to the service provider's token endpoint, including the request token, consumer key, signature, and other necessary parameters. Note that the signature is the same signature that was used in step 3.


Access token issued

Service provider/ authorisation server

The service provider validates the request token and consumer credentials. If everything is OK, the service provider issues an access token and an access token secret to Patchworks.


Resource access


The consumer can include the access token in API requests to the service provider, to access the user's protected resources.

OAuth 1 authentication examples

It can be useful to compare how existing connectors have been configured for OAuth 1 authentication.

Since OAuth 2 has largely taken over from OAuth 1, there aren't many examples in the Patchworks marketplace however, you will find both OAuth 1 and OAuth 2 defined for our NetSuite connector. You can install this for comparison.

Last updated