Sign return URLs

❗ Important The shared credentials option described in this topic is deprecated as of December 1, 2020 and is no longer be available for new product integrations. Integrations that were created with shared credentials prior to that date continue to work. For enhanced security, AppDirect recommends that you use the separate credentials type for applications, and that you migrate existing products that use shared credentials to separate credentials. For more information about deprecation, see Product lifecycle phases.

With AppDirect's interactive callbacks, a user is redirected to an application's website to complete some transactions (for example, a subscription order). After completing that transaction on the application side, the application redirects the user to AppDirect. To ensure that the redirect comes from the application, a two-legged OAuth signature is applied to the redirect URL itself.

For example, if a SUBSCRIPTION_ORDER event were passed with a redirect URL, such as https://www.appdirect.com/finishorder, and if the order were handled successfully and the parameters "success=true" and "accountIdentifier=Alice" were returned (https://www.appdirect.com/finishorder?success=true&accountIdentifer=Alice), the application would need to sign the URL with the OAuth consumer key "Dummy" and secret "secret" as follows:

https://www.appdirect.com/finishorder?success=true&accountIdentifer=Alice&oauth_nonce=95009478&oauth_timestamp=1294967177&oauth_consumer_key=Dummy&oauth_signature_method=HMAC-SHA1&oauth_version=1.0&oauth_signature=sTmXIbI2QgUCroj9mIPBp6NPars%3D