Specifications for Signature Construction for the TBA Authorization Flow

This section contains details about the specifications for creating signatures required for both Step One and Step Three of the TBA authorization flow. For more information about signatures, refer to Section 3.4 of RFC 5849.


The end of support for the HMAC-SHA1 signature method targeted for 2021.2 has been postponed. However, the algorithm used by the HMAC-SHA1 signature method is no longer considered secure. You should update your integrations to use the HMAC-SHA256 signature method as soon as possible.


For more information about encoding, refer to Section 3.6 of RFC 5849:

  • For Text values, refer to RFC 3629. Text values must be encoded as UTF-8 octets if they are not already encoded.

  • Values are escaped using the Percent-Encoding (%XX) mechanism:

    • Do not encode characters from the unreserved character set. Refer to Section 2.3 of RFC 3986 for documentation of the unreserved character set.

    • All other characters must be encoded.

    • Two hexadecimal characters used to represent encoded characters must be uppercase.


      A blank symbol is encoded as %20 and not as the plus (+) symbol. Be aware that some framework functions may return unwanted results.

Request Parameters Normalization

For more information, refer to Section of RFC 5849.

  • The parameters that are used include: (refer to Request Parameters, Section of RFC 5849):

    • parameters from the Authorization header (excluding “realm” and “oauth_signature”)

    • parameters from the HTTP request entity body

    • parameters from the query part of the request URL

  • Encoding of parameter names and values occurs using the algorithm described in Encoding.

  • Sorting by name is performed using ascending byte value ordering. If names are identical, sorting is done by values.

  • Names and values form pairs separated by the equal (=) symbol, even when there is no value.

  • Pairs are concatenated in the defined order by the ampersand (&) symbol.

Related Topics

Token-based Authentication (TBA)
Token-based Authentication (TBA) Tasks for Administrators
Troubleshoot Token-based Authentication (TBA)
Generating the Signature for the TBA Authorization Flow

General Notices