OAuth Validation
Take a look at the things you can do with our APIs
OAuth Validation Samples

This page should help you validate your OAuth implementation. We will use a sample private key, and show you the various OAuth outputs your code should generate.

Private Key

For this example, we will use the following RSA private key (PEM format):

-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKWHZ/XYTSdiQ6Kgy6kRJtMY3FZ2
YMglyJATYDApUKIoXJrtW40lm4yq/zw1zHMEATdGqQz+6qliGu1qTBmiDwWDK8bXJMi28hkDBY3X
EwY1bjV/8nbnMRzhGtwaIxrNKcrNYvhuWor3EBAQKFh72IXU7QU0TR/dPXQU1FR8R5etAgMBAAEC
gYAlQ8CRxipIbYTQfeabnzLgXz5rcKcFKAxo8xO6g/KVLwT6E+mCcy77kht30JzAX+xuJ0gzlsf5
bg6l2EJdmvBKbUvH/cwgEu02Z+4vC79EqgwTR3nmSz3pxF62mwAIi7OFGoBZQXqDYr1JAwGCFFBN
555AvAosDv7S5YVehMliAQJBAPUxjzoRV47SDCS0eoMZxlOZbUoo0+R9srKhMDSmbiPRR4D8YwyN
xg51WQib7X7kp7QlhQzf3NXFeBJO5A9f9MECQQCs0wQNlEth2QajCOChAfPlSeE9BR7px+gK3Lrk
kttx7L9v+vDTdFUTWJxxPj/JYMt+ggUp1xpEqyNAmW1VjUHtAkAYZpg0VSl7gxfGR1ex2EzOYQRp
TurXYFL6R+Q+ORnY4qjVA0jwJOPC6Ja1rp7R8/tkiB9Xiqe1dnNejw9PIGOBAkB6QkUJvjCdpcQW
Lb+K5zC8sckPO8Ikq/CxTnlAHcv0CgFbnHAlhpRwvSzex6SkNz993Uj90leY4GBt4JwB+435AkEA
qhzY/AlxIFUpG0zGpMfd+LUFKZ+wmazB6oFpAf/mbTN/EXF6kf40tCvpRWSnlETN6yJX7s26G+mX
F0aeBlqNCA==
-----END PRIVATE KEY-----

If your code uses the private key in a PKCS#12 keystore (recommended), you can download this keystore. The keystore's password is "mcapi" and the keypair alias is "mckp".


Example 1 - Request with no HTTP Body

This first example will walk through a request with no body. This means that no oauth-body-hash parameter is included in signature creation. See Example 2 below for an example that includes a body and subsequent oauth-body-hash.

Inputs

In addition to the private key above, we'll use these inputs:

OAuth consumer key:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Nonce:

1111111111111111111

Timestamp:

1111111111

Request URL:

https://sandbox.api.mastercard.com/atms/v1/atm?Format=XML&PageOffset=0&PageLength=10&AddressLine1=70%20Main%20St&PostalCode=63366&Country=USA

Outputs

Using the inputs and private key above, you should produce the following values.

OAuth signature base string:

GET&https%3A%2F%2Fsandbox.api.mastercard.com%2Fatms%2Fv1%2Fatm&AddressLine1%3D70%2520Main%2520St%26Country%3DUSA%26Format%3DXML%26PageLength%3D10%26PageOffset%3D0%26PostalCode%3D63366%26oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%26oauth_nonce%3D1111111111111111111%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1111111111%26oauth_version%3D1.0

OAuth signature:

CxxpIsqfwpJDCB5zttKEORN2V5A4xwkz6XPrn%2B882m3CBCtHGBy5uL%2FwXp0Vumn4UO2GnGyOd0N%2Bt0uVau%2FSy61%2FiV1f%2BWBRVx3jTrpcCwX9N7YpFnXAY%2Bf0ZGYGv%2BWjFL9KXzGe152SMcmP8yJbuJCsLT5k4XzIrCJeD0edoeE%3D

Authorization header:

OAuth oauth_signature="CxxpIsqfwpJDCB5zttKEORN2V5A4xwkz6XPrn%2B882m3CBCtHGBy5uL%2FwXp0Vumn4UO2GnGyOd0N%2Bt0uVau%2FSy61%2FiV1f%2BWBRVx3jTrpcCwX9N7YpFnXAY%2Bf0ZGYGv%2BWjFL9KXzGe152SMcmP8yJbuJCsLT5k4XzIrCJeD0edoeE%3D",oauth_version="1.0",oauth_nonce="1111111111111111111",oauth_signature_method="RSA-SHA1",oauth_consumer_key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",oauth_timestamp="1111111111"




Example 2 - Request with an HTTP body

This second example will walk through a request with an HTTP body. This means that an oauth-body-hash parameter is required in signature creation.

Inputs

In addition to the private key above, for this example, we'll use:

OAuth consumer key:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Nonce:

1111111111111111111

Timestamp:

1111111111

Request URL:

https://sandbox.api.mastercard.com/fraud/merchant/v1/termination-inquiry?Format=XML&PageLength=10&PageOffset=0

Request HTTP body:
There are intentionally no line feeds or carriage returns in this example.

<?xml version="1.0" encoding="Windows-1252"?><ns2:TerminationInquiryRequest xmlns:ns2="http://mastercard.com/termination"><AcquirerId>1996</AcquirerId><TransactionReferenceNumber>1</TransactionReferenceNumber><Merchant><Name>TEST</Name><DoingBusinessAsName>TEST</DoingBusinessAsName><PhoneNumber>5555555555</PhoneNumber><NationalTaxId>1234567890</NationalTaxId><Address><Line1>5555 Test Lane</Line1><City>TEST</City><CountrySubdivision>XX</CountrySubdivision><PostalCode>12345</PostalCode><Country>USA</Country></Address><Principal><FirstName>John</FirstName><LastName>Smith</LastName><NationalId>1234567890</NationalId><PhoneNumber>5555555555</PhoneNumber><Address><Line1>5555 Test Lane</Line1><City>TEST</City><CountrySubdivision>XX</CountrySubdivision><PostalCode>12345</PostalCode><Country>USA</Country></Address><DriversLicense><Number>1234567890</Number><CountrySubdivision>XX</CountrySubdivision></DriversLicense></Principal></Merchant></ns2:TerminationInquiryRequest>

Outputs

Using the inputs and private key above, you should produce the following values.

OAuth body hash:

WhqqH+TU95VgZMItpdq78BWb4cE=

OAuth signature base string:

POST&https%3A%2F%2Fsandbox.api.mastercard.com%2Ffraud%2Fmerchant%2Fv1%2Ftermination-inquiry&Format%3DXML%26PageLength%3D10%26PageOffset%3D0%26oauth_body_hash%3DWhqqH%252BTU95VgZMItpdq78BWb4cE%253D%26oauth_consumer_key%3Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%26oauth_nonce%3D1111111111111111111%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1111111111%26oauth_version%3D1.0

OAuth signature:

Yh7m15oV0XbRTFP%2Fp4T56sg38QDLKEh4cVK90taaHstE%2FjTdCn53CtbUETQFWLR2VdMMv8ujeewM3NDzLRfVLqwE%2FsWbpeaWtm%2FpffAvHjXFTquo4hBE6CPRNEqFyIjCz4lNaYoeaQMFJVmYfSF2CWn46RP3wmIrfs5IfQNtwUI%3D

Authorization header:

OAuth oauth_signature="Yh7m15oV0XbRTFP%2Fp4T56sg38QDLKEh4cVK90taaHstE%2FjTdCn53CtbUETQFWLR2VdMMv8ujeewM3NDzLRfVLqwE%2FsWbpeaWtm%2FpffAvHjXFTquo4hBE6CPRNEqFyIjCz4lNaYoeaQMFJVmYfSF2CWn46RP3wmIrfs5IfQNtwUI%3D",oauth_body_hash="WhqqH+TU95VgZMItpdq78BWb4cE=",oauth_version="1.0",oauth_nonce="1111111111111111111",oauth_signature_method="RSA-SHA1",oauth_consumer_key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",oauth_timestamp="1111111111"

© 1994-2014. MasterCard. All rights reserved.