Always getting "Invalid Signature" when requesting request token with OAuth 1.0a

170 views
Skip to first unread message

Dinis Pereira

unread,
May 20, 2025, 8:03:41 AMMay 20
to fatsecret Platform API

Hi everyone,

I'm currently running into an issue when trying to get a request token from FatSecret's API using OAuth 1.0a — the API always returns an invalid signature error, and I can't seem to figure out why.

I'm using the consumer_key and consumer_secret provided in my developer account (I've double-checked them via console.log and they are correct). I'm generating the signature using the oauth-1.0a library in Node.js, with HMAC-SHA1 as the signature method. Here's the relevant snippet:

const oauth = new OAuth({
  consumer: {
    key: process.env.CONSUMER_KEY,
    secret: process.env.CONSUMER_SECRET,
  },
  signature_method: 'HMAC-SHA1',
  hash_function(base_string, key) {
    return crypto
      .createHmac('sha1', key)
      .update(base_string)
      .digest('base64');
  },
});

I'm calling http://authentication.fatsecret.com/oauth/request_token and have tried both GET (with all OAuth params in the query string) and POST (with the OAuth params in the Authorization header). Both attempts return the same invalid signature error.

The OAuth parameters like oauth_nonce, oauth_timestamp, oauth_signature_method, etc., are being auto-generated by the library. I’ve also tried placing oauth_callback in the body and in the query string.

Everything seems correct at first glance — is there something specific to FatSecret’s implementation I might be missing? Could it be related to how the base string is built or how the signature is being generated?

Any help would be greatly appreciated.

Thanks!
Dinis Pereira

Dinis Pereira

unread,
May 20, 2025, 6:38:33 PMMay 20
to fatsecret Platform API
Here is the full code:
import axios from 'axios';
import OAuth from 'oauth-1.0a';
import crypto from 'crypto';
import { Request, response, Response } from 'express';
import { error } from 'console';

export class FatsecretAuthController {
  async getRequestToken(req: Request, res: Response) {
    const consumer_key = process.env.CONSUMER_KEY;
    const consumer_secret = process.env.CONSUMER_SECRET;

    const Oauth = new OAuth({
      consumer: {
        key: `${consumer_key}`,
        secret: `${consumer_secret}`,
      },
      signature_method: 'HMAC-SHA1',
      hash_function(base_string, key) {
        return crypto
          .createHmac('sha1', key)
          .update(base_string)
          .digest('base64');
      },
    });

    const callback = 'http://localhost:3000/oauth/callback';

    const request_data = {

      method: 'GET',
      data: {
        oauth_callback: callback,
      },
    };

    const authHeader = Oauth.authorize(request_data);
    console.log('Aqui esta ele', authHeader);

    const allParams = new URLSearchParams({
      ...authHeader,
      oauth_callback: callback,
    }).toString();

    const finalUrl = `${request_data.url}?${allParams}`;
    console.log(finalUrl);
    const response = await axios({
      method: 'GET',
      url: finalUrl,

      headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
      }, //header para o auth
    })
      .then((response) => {
        console.log(response.data);
        res.status(201).json(response.data);
      })
      .catch((error) => {
        console.error(error);
        console.log();
        res.status(400).json(error);
      });
  }
}

seba...@fatsecret.com

unread,
May 20, 2025, 6:40:08 PMMay 20
to fatsecret Platform API
Thanks for reaching out, sorry to hear you are having trouble getting OAuth signatures set up.
Please start with using Postman first and then check your code above against the other examples of OAuth signature errors and fixes posted in this group forum historically

Paul

unread,
May 25, 2025, 6:48:25 PMMay 25
to fatsecret Platform API
Hi, Sebastian! When I am trying to use Postman's example of 3-Legged auth (this request here https://www.postman.com/fatsecret/fatsecret-public-apis/request/cwvamuk), I get the same error — for example:
Invalid signature: oMZ8%2B14YCFoOUjmRQASvqOrFhLo%3D

I use my consumer_key and consumer_secret given at the platform — don't make any edits to the request

Is there any other authorization example on Postman for 3-legged auth? 
Thanks, Paul

seba...@fatsecret.com

unread,
May 25, 2025, 6:49:16 PMMay 25
to fatsecret Platform API
Thanks for following up. We don't have any other code examples available at this stage.

Paul

unread,
May 26, 2025, 4:56:19 PMMay 26
to fatsecret Platform API
Hey, so, bluntly speaking — it's not technically possible to develop 3-legged auth at this stage?

seba...@fatsecret.com

unread,
May 26, 2025, 4:57:36 PMMay 26
to fatsecret Platform API
Thanks for following up. We do have 3-legged OAuth available via our API with thousands of developers using this feature. We currently can't see any error report or logs that would imply there is an issue. Please refer to the documentation here
https://platform.fatsecret.com/docs/guides/authentication/oauth1/three-legged
Reply all
Reply to author
Forward
0 new messages