">mixi Developer Center (mDC)

mixi Apps

mixi Apps (English) » Technical Specification » Mobile » Access with 2-legged Oauth Signature to RESTful API

Access with 2-legged Oauth Signature to RESTful API

The appropriate signature with 2-legged OAuth is required for access to RESTful PIs in a mixi App.

Preparation for Signature

oauth_consumer_key Consumer_key issued previously
oauth_nonce Random strings (it should be unique for each request)
oauth_signature Signature validating API requests
oauth_signature_method HMAC-SHA1
oauth_timestamp UNIX timestamp
oauth_version 1.0
xoauth_requestor_id (for PC) Viewer ID
(for mobile) opensocial_owner_id received as request parameter

How to Generate OAuth Signature

The following describes how to generate OAuth Signature for the access to RESTful API. Currently, only HMAC-SHA1 is supported for the signature method.

First of all, three values have to be prepared:

  1. HTTP request method (e.g. GET, POST).
  2. The API URL where the request is sent. Any query parameter should not be included.
  3. Various parameters necessary for OAuth. These parameters must be sorted by the alphabetical order.in advance.

For example,

  1. GET
  2. http://api-example.mixi.jp/people/@me/@self
  3. oauth_consumer_key=bc906fac81f581c3c96a&oauth_nonce=5c261539688b2a591aad&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1244636076&oauth_version=1.0&xoauth_requestor_id=xxxxxxxx

Then the base string can be generated by concatenating with ‘&’ after URI escape for the values above.


The signature is developed by creating a digest value with HMAC-SHA1 from the base string and encode the digest value in BASE64. The common key used in this case is comprised of consumer_secret and a blank Token Secret, concatenated with ‘&’. The consumer_secret is issued when a mixi App is registered.
For instance, if consumer_secret is 79e0a55cde43e7dc86fd1e1366d6b6ac7771db8, the common key becomes 79e0a55cde43e7dc86fd1e1366d6b6ac7771db8&.
The signature, thus, turns out to be.


By adding the parameters generated to the authorization header API request can be sent.

GET http://api-example.mixi.jp/people/@me/@self?xoauth_requestor_id=xxxxxxxx
Authorization: OAuth

Note that the consumer_key and consumer_secret above are samples, and the developer cannot use these values for actual API access.
consumer_secret is a strictly confidential and it must not be disclosed externally under any circumstances.

See OAuth Consumer Request 1.0 Draft 1 for further details.


OAuth Consumer Request 1.0 Draft 1
December 2007.