Authorize inbound API requests (legacy)

❗ Important The shared credentials option described in this topic is deprecated as of December 1, 2020 and is no longer be available for new product integrations. Integrations that were created with shared credentials prior to that date continue to work. For enhanced security, AppDirect recommends that you use the separate credentials type for applications, and that you migrate existing products that use shared credentials to separate credentials. For more information about deprecation, see Product lifecycle phases.

The shared credentials authorization type relies on two-legged OAuth 1.0, also known as signed fetch, for both inbound and outbound API requests. Rather than obtaining access tokens, all requests are signed using the consumer key and secret generated in your product profile. The following example demonstrates how to retrieve an event detail for a product with an OAuth 1.0 consumer key of "sM137PfAbYF".

Note that the Authorization header must be contained on a single line. Line breaks have been inserted here for clarity.

GET /api/integration/v1/events/12345 HTTP/1.1

Host: www.acme-marketplace.com

Authorization: OAuth oauth_consumer_key="sM137PfAbYF",

oauth_signature_method="HMAC-SHA1",

oauth_timestamp="1560207509",

oauth_nonce="QEBKRiSeQdU",

oauth_version="1.0",

oauth_signature="TX0Upqj9rNqBzOXAQAei7GBspEc%3D"