Yes, your request for an access token should be signed with the request token secret; that is the oauth_token_secret that you received with your request token. Also, requests for access to APIs should be signed with the access token secret, that is the oauth_token_secret that you received with your access token. I'm surprised that the service provider accepts requests that are signed without the token secrets.
Here's a simpler way to construct the URL for requesting an access token, or access to an API. It yields the same result, letting oauth.js handle more of the details. var accessor = { consumerKey: '...', consumerSecret: '...', token: '...', tokenSecret: '...'}; var message = { method: "GET", action: "http://...", parameters: [ ['oauth_signature_method', 'HMAC-SHA1'], ['xoauth_requestor_id', guid], ['format', 'json']]}; OAuth.completeRequest(message, accessor); var signedURL = OAuth.addToURL(message.action, message.parameters); On Jun 17, 10:49 pm, Matt Raible <mrai...@gmail.com> wrote: > ... Looking > at both Paul Donnelly's and yours, neither contains the "tokenSecret" > in the accessor that's used to sign the access_token request, as well > as any API requests. Am I correct in assuming that the tokenSecret > (the "auth_token_secret" value returned after getting the initial > token) is needed for these two calls? > > To be clear, I can reliably get a token and authorize it. After that, > it seems like getting an access_token works 50% of the time and > calling the api (with auth_token as a param in the URL) works 30% of > the time. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---