OAuth signing

Eloqua signs all outgoing calls with OAuth 1.0a so the receiving system, in this case your app, can validate that the call was sent by Eloqua. As an app provider, it is your responsibility to ensure the validity of all inbound calls. Validation should be performed on every inbound call your app receives with OAuth parameters.

When your application receives any call from Eloqua, it will be appended by the following information:

Parameter Description Example value
oauth_consumer_key Your app's Client Id. eb954432-a19f-4250-85dd-827a9ddf17db
oauth_nonce A random unique number used by the app provider to verify that a request has never been made before, preventing replay attacks. Nonces only need to be unique for all requests using the same time stamp. 9519484
oauth_signature_method Eloqua uses a keyed-hash message authentication specification known as HMAC-SHA1 to sign outgoing calls. HMAC-SHA1
oauth_timestamp The timestamp is expressed in UTC in UNIX format, expressed as the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value must be no more than 5 minutes older than your current server time. 1410986606
oauth_version 1.0 1.0
oauth_signature This is the value against which to validate. AZbD26DeXrEV6iNLqBAxSXwWURg=

Example: Eloqua makes a call to your app situated at https://app.example.com/action/create in order to pass some information: instance_id=768acf98-f0d2-4f1b-8956-bd204de20684&site_id=b379a93e-dd7a-41a1-99be-fffd93c8e4fa. This HTTP call would look something like:

https://app.example.com/action/create?instance_id=768acf98-f0d2-4f1b-8956-bd204de20684&site_id=b379a93e-dd7a-41a1-99be-fffd93c8e4fa&oauth_consumer_key=eb954432-a19f-4250-85dd-827a9ddf17db&oauth_nonce=9519484&oauth_signature_method=HMACSHA1&oauth_ timestamp=1410986606&oauth_version=1.0&oauth_ signature=xoEGUaC029gD8UWeEOyguxGBkZU%3D

Refer to the OAuth 1.0a spec or OAuth 1.0 RFC for more information.

Next steps

Validating a call signature

Learn more

Authenticate using OAuth 2.0