OAuth Echo

OAuth Echo was recently developed by Twitter’s head of platform Raffi Krikorian as way to ‘delegate identity verification’. As of June 30 it will no longer be possible to login with a Twitter username/password into the API. OAuth will be the only way to authenticate your users. For non-web applications Twitter has released XAuth, a way to convert a username/password combination to OAuth tokens. All other apps are forced to switch to OAuth.

Because of this move, it will no longer be possible to authenticate users to the Mobypicture API by providing a Twitter username/password combo. Luckily Twitter’s head of platform Raffi Krikorian has thought of a way to provide delegated authentication, called OAuth Echo.

To re-state the problem in Raffi’s words:

You’re an OAuth enabled Twitter client, and you’ve already authorized your user. You user wants to use a media providing service like Mobypicture. Mobypicture, currently, asks for the username and password of your user so it can store the photo on behalf of the Twitter user. You don’t have that username and password, so how do you give the ability to Mobypicture to verify the identity of your user?

OAuth Echo was developed to solve this issue. The spec is no more than one page long and quite easy to implement on the client side. The client just gives Mobypicture the content of the OAuth Authorization header, which they normally would have send to Twitter to call ‘verify_credentials’. Mobypicture can then use that header to identify the given user on Twitter.

Raffi also provided some guidelines and best practices to make the implementation and migration as easy as possible. Mobypicture supports both sending the OAuth Echo parameters by headers or by POST variables.

OAuth Echo works on both our current 1.0 and our new 2.0 API, on all actions which requires authentication. Besides the normal parameters send along the following headers or POST variables (Don’t forget to urlencode your POST variables):

  • X-Auth-Service-Provider (or x_auth_service_provider as POST var)

    This is the realm that identity delegation should be sent to, just set this to https://api.twitter.com/1/account/verify_credentials.json

  • X-Verify-Credentials-Authorization (or x_verify_credentials_authorization as POST var) 
  • The OAuth enabled Twitter client should create all the OAuth parameters necessary so it could call https://api.twitter.com/1/account/verify_credentials.json using OAuth in the HTTP header (e.g. it should look like OAuth oauth_consumer_key=”…”, oauth_token=”…”, oauth_signature_method=”…”, oauth_signature=”…”, oauth_timestamp=”…”, oauth_nonce=”…”, oauth_version=”…”)

That’s all! If the user you are authenticating does not already have a Mobypicture account, we’ll automatically create one.

A good way to test your OAuth Echo implementation is to call the checkCredentials method on our 1.0 API. When a 0 is returned, you have successfully authenticated your user through OAuth Echo.

This page is last updated on April 15, 2011 by

1 Response to OAuth Echo


いろいろまとめてOAuthEcho | iphoneアプリで稼げるのか

August 8th, 2010 at 9:06 pm

[…] – Share your adventures with your friends realtime OAuth Echoについてはこちら。OAuth Echo | Mobypicture Developers upload APIはこちら。upload | Mobypicture Developers […]

Comment Form

About Mobypicture Developers

Build your own applications on top of Mobypicture, like over 600 others have done before you using our extensive API.

You can find find out more about the usage of the Mobypicture API in the API Documentation. To use the API you have to get a developer key. This also allows you to promote your Mobypicture enabled app on the Mobypicture website.

Get a Mobypicture developer key

RSS Mobypicture product news

  • After we're gone March 20, 2017
    "About a month after we disappear all cooling water on nuclear facilities will have evaporated. Millions of animals will die of cancer."
  • Why don't we cheer at a central place online? March 20, 2017
    Catching the energy Energy flows around social gatherings. When we enter a stadium, visit a museum or go to a concert we all share the energy. It makes us stronger, it connects us, no matter what our backgrounds are.  Online their is not one space that catches this energy and bundles this power. Our tweets, FB posts, likes, […]
  • It's been an activistic month! #supportgoodcauses March 6, 2017
    1. Artikel 1I met Sylvana Simons at an event in January. I don't care too much about politics but I think the rights she's fighting for are extremely important and awareness and demystification around the topics of the new Dutch political party Artikel 1 are crucial for achieving their goal. Tag The Love can really help them get […]