OAuth

The new API (/api/2/*) is powered by Piston and authentication is provided for via OAuth. OAuth is a means for users to grant permissions to a third party application to act on their behalf without supplying a username and password.

The OAuth Dance

The OAuth “dance” involves a number of steps:

1. Requesting an OAuth Request Token. The third party app (e.g. Flight Deck) requests a Request Token from the website (e.g. AMO).
2. The app sends the user with the Request Token to an authorization page.
3. The app requests an Access Token with the user-authorized Request Token.

Each of these reuqests must contain various OAuth headers, request parameters and be signed in a specific manner.

This is detailed in our api tests in _oauth_flow.