Click here to Skip to main content
14,880,210 members
Articles / Web Development / ASP.NET
Posted 24 Apr 2010

Tagged as


36 bookmarked

Step by Step Guide to Delicious OAuth API

Rate me:
Please Sign up or sign in to vote.
4.81/5 (12 votes)
24 Apr 2010CPOL8 min read
Learn how to use Delicious OAuth API in your .NET projects with an example


After merging with yahoo, Delicious's account registration is done using yahoo account. Moreover OAuth has been introduced for accessing Delicious's API. A guideline has been provided in Delicious's help page at describing the steps to use their API, but that is not so very illustrative. Also, no readily usable sample project or dll is available on the internet. So I have decided to write a sample application for accessing Delicious's OAuth API.  

What is OAuth? 

OAuth (Open Authorization) is an open protocol that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password.

OAuth allows users to hand out tokens instead of usernames and passwords to their data hosted by a given service provider like delicious, twitter, linkedin etc. 

Steps to call Delicious API

Following are the steps to make a successful API call to delicious using OAuth.

  1. Get an API key
  2. Get a Request Token
  3. Get user permission to access their data
  4. Get an Access Token
  5. Create the request for Delicious
    1. Building the “Base String”
    2. Generate the signature
    3. Make the request
  6. Refresh Access Token for future API calls without authorization

1. Get an API key   

To access any API using OAuth, a consumer/API Key and a consumer/API Secret Key are required. These can be obtained from Yahoo! Developer Network (YDN) API key form. Fill up this form appropriately and set the access scope eg to which of the yahoo owned site(s) you need API access.
Following two figures illustrates the steps to obtain OAuth access keys:

API key form page

Figure 1: API key form page   

API key confirmation page

Figure 2: API key confirmation page 

From this step you will get following key information:

  1. an Application Id
  2. an API Key (OAuth consumer key)
  3. Shared/Consumer Secret

2. Get a Request Token

After getting the API keys, make a request to the YDN API at the following URL:

Include the following parameters:

Request ParameterDescription
oauth_nonceA random string.
oauth_timestampCurrent timestamp of the request. This value must be +/-600 seconds of the current time.
oauth_consumer_keyYour consumer key.
oauth_signature_methodThe signature method that you use to sign the request. This can be plaintext or hmac-sha1.
oauth_signatureYour shared secret.
oauth_versionOAuth version (1.0)
xoauth_lang_pref(optional) The language preference of the User; the default value is en-us.
oauth_callbackYour callback url as set up in the YDN process.

Your request should look something like the following:

Please note that you must include all the parameters specified above (except ‘xoauth_lang_pref’ which is optional) even though it might seem irrelevant in your case eg in desktop application ‘oauth_callback’ may not be required but still you need to put it in the request url.  ‘http://localhost/’ might be a sample value.

This should result in a response similar to:

which can be parsed to get:

  • oauth_token
  • oauth_token_secret
  • oauth_expires_in
  • xoauth_request_auth_url
  • oauth_callback_confirmed

3. Get user permission to access their data

To access any data form any of the user’s account, user’s explicit permission is required. To get this permission, we need to redirect the user to the url given in xoauth_request_auth_url with some additional parameters.

Your query parameters should be formed something like this:

<xoauth_request_auth_url>&oauth_nonce=<random string>&oauth_timestamp=<current timestamp>&oauth_consumer_key=<your consumer key>&oauth_signature_method=plaintext&oauth_signature=<your shared secret>&oauth_version=1.0&xoauth_lang_pref=en-us&oauth_callback=<your callback url>

Actual request URL would look like following:

Visiting this URL, user can accept or deny permission to his/her private data. If user permits access to his/her account, an email will be sent to his/her mail account with a link to revoke permission (if required).

4. Get an Access Token

Once the user has given permission for your app to access their data, all callback will be made back to your application in the following format:

<your callback url>?oauth_token=<request token>&oauth_verifier=<verifier>

Using the oauth_verifier parameter from above, and the oauth_token and oauth_token_secret (obtained in Step 2), request an access token, like this:<your consumer key>&oauth_signature_method=plaintext&oauth_version=1.0&oauth_verifier=<oauth_verifier>&oauth_token=<request_token>&oauth_nonce=<random string>&oauth_timestamp=<current timestamp>&oauth_signature=<your consumer secret>%26<request token secret>


The response to this request should be an access token string, something like:


From which you can extract:

  • oauth_token
  • oauth_token_secret
  • oauth_expires_in
  • oauth_session_handle
  • oauth_authorization_expires_in
  • xoauth_yahoo_guid

5. Create the request for Delicious

Calling the Delicious API is performed in three steps:

  1. Building the “Base String”
  2. Generate the signature
  3. Make the delicious API call

a. Building the “Base String”

At his point, we have all the necessary information to call the delicious API. But building the request with required parameters is really tricky and 90% of the developers got stuck here. So carefully follow each word of the instructions written below.

Suppose we need to call API to get suggestions for eg the full request url is

At frist, build a base string as instructed below:

  1. Take all the request parameters that you want to send to the API. In our case, this will be:
    • the url
    • oauth_consumer_key
    • oauth_nonce
    • oauth_signature_method
    • oauth_timestamp
    • oauth_token
    • oauth_version

    Then sort these parameters alphabetically, url encode each of the values and build a string of the format:


  2. Combine the request parameters with the HTTP Method being used (usually GET or POST), and the API url:<method>&<api url>&<request parameters>

    Note: the <api url> and the <request parameters> must be url encoded. Though we url encoded all the parameter values separately in the last step, we need to url encode them combining the key/value pairs.



Note: Here always the confusion arises which parameters to include in the base string and which not. Actually you need to include all the parameters both oauth’s ones (like oauth_consumer_key,  oauth_token etc.) and requested API’s ones (url for this example). If API url contains no parameter (eg then only oauth’s parameters will do and if  the API url (eg contains more parameters (eg tag and dt in this case) these also need to be included in the base string. FYI – date parameter’s (eg dt) value must be universal time and should be formatted as yyyy-MM-ddTHH:mm:ssZ.

b. Generate the signature

This step is very critical and prone to make more mistakes. Anyway, in this step you need to create a signature using HMAC-SHA1 signature algorithm.

In PHP you can build this signature very easily as code shown below:

<?php $signature = base64_encode(hash_hmac(‘sha1', <base string>, <shared secret>.’&’.<access token secret>, true)); ?>


<?php $signature = base64_encode(hash_hmac('sha1', GET&, 1e782b9c13315e30d2fbac12348942cc9db674f2.'&'.6a72597fdc62131f7167be3f9b4f31e955244bee, true)); ?>

This will result in the following string:

In C#, you can also achieve this as code shown below:

HMACSHA1 hmacsha1 = new HMACSHA1();
hmacsha1.Key = Encoding.ASCII.GetBytes(string.Format("{0}&{1}", UrlEncode(), UrlEncode()));
string signature = Convert.ToBase64String(hashAlgorithm.ComputeHash(System.Text.Encoding.ASCII.GetBytes(data)));

Using c#, here you cannot directly use HttpUtility.UrlEncode() function as it encodes special characters like “/,\,:” etc. to lower case format like “%2f,%5c,%3a” whereas OAuth expects url encoding in upper case format like “%2F,%5C,%3A”. This issue needs to be considered while URL encoding.

c. Make the delicious API call

Finally, we are at the point of making a request to Delicious.

First, we need to create an Authorization Header to send in the request. To do this, take the parameters we used to generate the Base String, remove any parameters that were part of the actual API request (in our case “url”), and then ADD the signature we just generated in Stage 5b as an oauth_signature parameter. All parameters are then joined together in a comma separated string:


Authorization: OAuth realm="",oauth_consumer_key="ef1uGeq4fP9vbnDXQAtlN0IcKvY8RTef0MztKJfBRYacPiuYmQXFdi10DOU3WSDVfn7MQw5basdrn92urX47wlD3F6G4oOA6JHE6",oauth_nonce="613149020",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1257971461",oauth_token="A%3DvVzfAVXKsgHcbN6CCBdkiHFN6dOVXHRp6j_.rp.k8rZGUEC90xB..TVkGkt84PFgY3ju3TR22mG4SmKRQxGZUxg.VHhRs89mhh97wBSwjShz88wljdPupz0..bsTIymGIAlJVosVocNnTwPYLp.UFcCEdFKklYcs.KUDRhdtffP8cLp8dGFzUfWxdwQk45eDAB0e.VJmG5jUc6p_mGvsnappYfoIdzoP13Dz6v3W4Oi8ygW8W10Z.x9aFxL1m4ZkaIWxUm85DxG.yvgNTzi2h5qqhJBbJKP0ZX2tm7DTH7hksWFrMevkJaKwkHgzN3N8bUA3tnW5xii4LAzRb87W8GaSQ27gH4WBX9prNstqw4KtTdvMS9QJw9ckid5w0U1DB25cAniZXimXXybOwaj5u2QHG6zKloGZxFlLhc.wELxOhuymBEuVAwP2s.BWrzTh9QrSopOCeY9SSkEN0fjHZ5jFmaxStgWJQQysDU3JWuor2SvWmOB5I5q2vYCZrL5IYncMofHm6JUWkm5R6NAQt_.kO8wF8ZamiDzCE2iBi91HJlrkCb3.lV804Xs7M4sbD_MHa3UV7x7iw6XEhLjctD8al0BGVjooKYaxObrBygTTtngdtkXZSxJI.hLfcAo3TymujkAfycVGSscHAl_IeEvNUIJnOX4jB1dDdzfoSk_83rFiCLsRasRjxLHv.o.ltfoUVpL4fL_1cP2rwh2Drxvpwup1dReSr2GtSsbGig--",oauth_version="1.0",oauth_signature="QAnF8ETJ0znTvcxBEb%2BMJoFicmQ%3D"

In c# we can add the header in the web request object as the code follows:

webRequest.Headers.Add("Authorization", "OAuth realm=\"\",oauth_consumer_key=\"ef1uGeq4fP9vbnDXQAtlN0IcKvY8RTef0MztKJfBRYacPiuYmQXFdi10DOU3WSDVfn7MQw5basdrn92urX47wlD3F6G4oOA6JHE6\",oauth_nonce=\"613149020\",oauth_signature_method=\"HMAC-SHA1\",oauth_timestamp=\"1257971461\",oauth_token=\"A%3DvVzfAVXKsgHcbN6CCBdkiHFN6dOVXHRp6j_.rp.k8rZGUEC90xB..TVkGkt84PFgY3ju3TR22mG4SmKRQxGZUxg.VHhRs89mhh97wBSwjShz88wljdPupz0..bsTIymGIAlJVosVocNnTwPYLp.UFcCEdFKklYcs.KUDRhdtffP8cLp8dGFzUfWxdwQk45eDAB0e.VJmG5jUc6p_mGvsnappYfoIdzoP13Dz6v3W4Oi8ygW8W10Z.x9aFxL1m4ZkaIWxUm85DxG.yvgNTzi2h5qqhJBbJKP0ZX2tm7DTH7hksWFrMevkJaKwkHgzN3N8bUA3tnW5xii4LAzRb87W8GaSQ27gH4WBX9prNstqw4KtTdvMS9QJw9ckid5w0U1DB25cAniZXimXXybOwaj5u2QHG6zKloGZxFlLhc.wELxOhuymBEuVAwP2s.BWrzTh9QrSopOCeY9SSkEN0fjHZ5jFmaxStgWJQQysDU3JWuor2SvWmOB5I5q2vYCZrL5IYncMofHm6JUWkm5R6NAQt_.kO8wF8ZamiDzCE2iBi91HJlrkCb3.lV804Xs7M4sbD_MHa3UV7x7iw6XEhLjctD8al0BGVjooKYaxObrBygTTtngdtkXZSxJI.hLfcAo3TymujkAfycVGSscHAl_IeEvNUIJnOX4jB1dDdzfoSk_83rFiCLsRasRjxLHv.o.ltfoUVpL4fL_1cP2rwh2Drxvpwup1dReSr2GtSsbGig--\",oauth_version=\"1.0\",oauth_signature=\"QAnF8ETJ0znTvcxBEb%2BMJoFicmQ%3D\"");

We then add this header to our request that we are making for and should get the expected response.

6. Refresh Access Token for future API calls without authorization

The access token obtained in step 4 remains valid for only 1 hour. So what happens after that period? Do you want to get authorization (by putting yahoo user id and password) again and again? What if you are writing a console application that will send updates of a delicious account to the subscribers at a regular interval? Well, don’t panic. A very feasible way is there.
You need to refresh the access token (using the expired token) to make subsiquent API calls.

The request url will look something like:

All the request parameters are described below:

Request ParameterDescription
oauth_nonceA random string
oauth_consumer_keyConsumer Key provided to you when you sign up on the registration
oauth_signature_methodThe signature method that you use to sign the request. This can be PLAINTEXT
oauth_signatureThe concatenated Shared Secret (Consumer Secret) and Token Secret separated by
an “&” character.
oauth_timestampCurrent timestamp of the request. This value
must be +-600 seconds of the current time.
oauth_versionOAuth version (1.0).
oauth_tokenThe expired Access Token.
oauth_session_handleThe persistent credential used by Yahoo! to identify the Consumer after a
User has authorized access to private data. Include this credential in your request
to refresh the Access Token once it expires.


Delicious API will return all the results in xml format. You need to format it as per your requirement. Hope this will help.

(In this article I mainly followed and used some texts and code samples from, Delicious.Net and LinkedinOauth).


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Kamruzzaman Titu
Software Developer (Senior) The Jaxara IT Ltd.
Bangladesh Bangladesh
Visit my blog at Kamruzzaman's Blog

Comments and Discussions

Questionmvc Pin
Tom McDonald17-Aug-16 11:28
MemberTom McDonald17-Aug-16 11:28 
GeneralMy vote of 5 Pin
Foyzul Karim9-Apr-13 1:54
professionalFoyzul Karim9-Apr-13 1:54 
GeneralRe: My vote of 5 Pin
Kamruzzaman Titu9-Apr-13 23:13
MemberKamruzzaman Titu9-Apr-13 23:13 
GeneralMy vote of 2 Pin
geeky rishu22-Sep-12 4:18
Membergeeky rishu22-Sep-12 4:18 
QuestionTo Solve remote server returned an error: (401) Unauthorized Pin
aryan20106-Nov-11 2:07
Memberaryan20106-Nov-11 2:07 
QuestionGot the Message:Oauth oauth_problem="unable_to_determine_oauth_type" Pin
engirl11-May-11 17:05
Memberengirl11-May-11 17:05 
Generaloauth_problem=signature_invalid Pin
Member 26476532-Feb-11 19:07
MemberMember 26476532-Feb-11 19:07 
GeneralRe: oauth_problem=signature_invalid Pin
Kamruzzaman Titu2-Feb-11 19:18
MemberKamruzzaman Titu2-Feb-11 19:18 
GeneralProblem while accessing Pin
estege18-May-10 1:42
Memberestege18-May-10 1:42 
GeneralRe: Problem while accessing Pin
Zeldain19-May-10 18:21
MemberZeldain19-May-10 18:21 
GeneralRe: Problem while accessing Pin
AYODHYA_HOTA28-Jun-10 0:38
MemberAYODHYA_HOTA28-Jun-10 0:38 
GeneralRe: Problem while accessing Pin
chesterbr28-Aug-10 17:10
Memberchesterbr28-Aug-10 17:10 
GeneralRe: Problem while accessing Pin
niaher4-Jul-10 4:07
Memberniaher4-Jul-10 4:07 
GeneralEverbright Smiles Pin
rubbimaria25-Apr-10 20:32
Memberrubbimaria25-Apr-10 20:32 
GeneralEverbright Smiles Pin
rubbimaria25-Apr-10 20:32
Memberrubbimaria25-Apr-10 20:32 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.