In order to access the API of a service provider, you need to create an application with that service provider. Creating an application will provide you with a consumer key (also known as API key or application key) and a consumer secret (also known as API secret or application secret).
Creating an application is normally done by logging in to the "developer" community of the service provider, selecting "Create New Application", or the like, and filling out the required information. Let's take a look at how this is done at Twitter:
First, log into http://dev.twitter.com (creating a new account if necessary), click the user name in the top right corner and select "My Applications".
Then, click the "Create a new Application" button.
Fill out the required information, such as the name and description of the application and read through Twitter's terms of service before accepting.
One of the fields in the form is a "Callback URL". This is the URL
that Twitter will redirect a user's browser to after she has accepted to
let your application interact with her Twitter account on her behalf.
This field must be set to the path
OAuthCallback under the
folder in which the Management Console is deployed. For instance, if
running with an embedded Management Console, it runs at
http://localhost:50080/. In this case, the callback URL
would be specified to
- however, beware that some service providers do not allow a callback
localhost. Twitter is one of those
providers, so we will use
Alternatively (and this is required by some service providers), you need to specify the hostname or non-loopback IP address of the machine on which you are running the Management Console. Since this page will be loaded by the browser of the authenticating user, this need not be a public hostname or IP address.
After creating the application, we are presented with a summary of
the application. We will need to copy some of these values into
Management Console, so go ahead an open Management Console in a browser.
Note that you should use the same IP address or hostname that was
entered as callback URL; in this example we will therefore point our
Now, navigate to the OAuth tab, which is a sub-tab of the Repository tab, and click the "New Application" button.
Select a name for the application (which doesn't need to be the same name as what is used when you created the application at the service provider) and select the service provider (in this case Twitter).
The consumer key and consumer secret must be copied from the summary page of the application presented by the service provider.
Enter the same callback URL as you did before and click Save. Some
service providers additionally require that you specify a scope; i.e.
what parts of the API that a user will authorize the application to
access. For instance, when accessing Google, the scope
https://www.google.com/analytics/feeds/ must be specified
if the application should be allowed to access the Google Analytics Data
API. Twitter does not use the scope field, so this will be left blank in
We have now set up an OAuth application in the Management Console.
Note that if you later edit the application, the consumer secret will be displayed as "(encrypted)" for security reasons. To change the consumer secret, simply replace this value in the input field with the new consumer secret; otherwise, leave as-is when editing an application.
Next, we will be adding a user to the application.