[Solved] Converting curl command with oauth to Thunkable blocks

I’m trying to access the Noun Project API from Thunkable. I have a curl command that works in Terminal and Postman:

curl --location --request GET 'https://api.thenounproject.com/icons/guitar?limit=30&oauth_consumer_key=[insert key here]&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1652752633&oauth_nonce=Nz9G0aGEvLh&oauth_version=1.0&oauth_signature=ihlp5Vh%2FwSBrYjWrUiJZ6xadR2k%3D'

Here it is again:

curl --location --request GET ‘https://api.thenounproject.com/icons/guitar?limit=30&oauth_consumer_key=[insert key here]&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1652752633&oauth_nonce=Nz9G0aGEvLh&oauth_version=1.0&oauth_signature=ihlp5Vh%2FwSBrYjWrUiJZ6xadR2k%3D’

But when I try this with my key, it fails and returns the error “Bad Request. Missing OAuth parameters”:

(note that the screenshot shows the signature method as “MAC-SHA1” but I fixed this later to read “HMAC-SHA1”

This seems like useful information but I can’t quite piece together what I need:

1 Like

Query parameters should be an object not a JSON string and all parameters should be included.

I initially tried both with and without the generate JSON block but now when I try your blocks, I get this:

403 Forbidden

You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

1 Like

Oh… interesting… that same curl command is now returning the 403 Forbidden error as well.

I think it’s probably an invalid timestamp. Just a guess!

Edit: if I generate a new curl command from Postman, it works again. So it’s something to do with the timestamp.

1 Like

Think I might be in over my head:

1 Like

I just had more reading about it and I was wrong. These should not go into the Query Parameters block. They are part of the authorization and should go in the Headers block.

You might need to add quotation marks around the values but it has to be part of the headers as it is an authorization string.

If you want it to be part of the parameters block then you need to add in the header Content-Type=application/x-ww-form-urlencoded so you can pass the authentication as part of the parameters block or the body block.

1 Like

Hi @tatiang ,

did you realize that the curl-command says “…oauth_signature_method=HMAC-SHA1” but your first screenshot shows only “MAC-SHA1” (without “H”)? I don’t know if it makes a difference, just trying to help.

1 Like

Yes, thank you, I did catch that. I’ve fixed the blocks but I’ll update the screenshot when I get a chance.


I believe Postman sends the values as parameters. If I use an Authorization header in Thunkable, with or without quotes around the entire string or around each value, I get “Invalid query string.”

1 Like

This is what I made

This is the result from my mobile


Success!!! Thank you so much for your perserverance helping me. It’s working now. I was missing "OAuth " at the beginning of the text string. I wonder how to generate a current timestamp, nonce and signature.


Generating the OAuth 1.0 string is straight forward but involves a lot of steps.

  • First you need to create what is referred to as Base String which is comprised of the method (GET or POST) in uppercase then & the URL in lowercase then & this should be followed with all parameters in alphabetical order in the form of parameter name then = then parameter value then &
  • The timestamp should be unix time in seconds only
  • The nonce is any arbitrary text and can be the timestamp but in milliseconds
  • All this should be in URL ENCODED format

The next required parameter is the Base secret which is the Customer Key then & then customer secret and converted to URL ENCODED.

The last step is to create the Signature by hashing both the base string and the base secret. The result of the hashing should be in Base64.

Note that OAuth 1.0 only supports a single hashing method which is HMAC-SHA1.

Hope this helps.

1 Like

you could use xano for this. I’m sure there are others but they have easy to use cryptographic functions

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.