0

On the E*Trade authorization api documentation for Get Request Token, it states that the oauth_signature is generated with "the shared secret and token secret".

When I generated my sandbox key, I was presented with the following information:

Individual Consumer Key
Your active SANDBOX API key is: abc123, and secret is: def456.

What are shared secret and token secret, and how do they map to the values provided above?

mark
  • 4,678
  • 7
  • 36
  • 46

2 Answers2

0

I figured out how to generate the signature for the purposes of Get Request Token.

Both the SANDBOX API key and SANDBOX API secret are needed.

I believe shared secret refers to the SANDBOX API secret. It seems that token secret is not needed to generate the oauth_signature for Get Request Token.

Here is my implementation of generating the oauth_signature in JavaScript using the oauth-sign library

const oauthsign = require("oauth-sign");

const oauth_consumer_key = "..."; // "SANDBOX API key"
const consumer_secret =  "..."; // "secret"
const oauth_timestamp = "1614463663"; // current time in seconds
const oauth_nonce = "123abc";
const oauth_signature_method = "HMAC-SHA1";
const oauth_callback = "oob"; // out-of-band callback
const base_uri = "https://apisb.etrade.com/oauth/request_token"; // N.B. "apisb"

const oauth_signature = oauthsign.hmacsign(
  "GET",
  base_uri,
  { oauth_consumer_key, oauth_timestamp, oauth_nonce,
    oauth_signature_method, oauth_callback },
  consumer_secret
);
const paramsString = Object.entries({
  oauth_consumer_key, oauth_timestamp, oauth_nonce,
  oauth_signature_method, oauth_callback, oauth_signature
}).map(([k, v]) => `${k}=${v}`).join("&");

const result = `${base_uri}?${paramsString}`;
console.log(result);

// will produce a URL like
// https://apisb.etrade.com/oauth/request_token?oauth_consumer_key=...&oauth_timestamp=1614463663&oauth_nonce=123abc&oauth_signature_method=HMAC-SHA1&oauth_callback=oob&oauth_signature=...
mark
  • 4,678
  • 7
  • 36
  • 46
0

A shared secret is your "permanent" client/consumer secret given to you by Etrade (can be sandbox (for testing purposes) and production (live)). A token secret is more "transitory" - it is generated whenever a new token is obtained. The two secrets are concatenated to form a key which is used to create an oauth signature to sign your requests.

Alex S.
  • 1
  • 2