Authentication for Job Posting

The Jobs API requires authentication so we know which partner is working with the particular job and can verify that the job's poster matches up with the contract being sent.  For this purpose, we are using two-legged OAuth.  This means that the only things you need to make these calls are the consumer key and secret key associated with the jobs contracting partner.

Using a Library

Making OAuth calls is generally best done by using an existing OAuth library. A two-legged call is the simplest possible OAuth call, requiring just a consumer key and token.

With most libraries, making this type of call is relatively simple. You will create an OAuth client using your consumer key and secret key, and have that client make the requests for you.  Most OAuth libraries are tuned for three-legged requests so you'll need to find out how to make two-legged requests. In some cases a client can be created with no token, in some cases an empty token needs to be created.  If neither of those work, you can check to see how the library handles request_token calls - those calls are made as two-legged calls as well.

For instance, in Python (using the oauth2 library), the call looks like this:

import oauth2 as oauth
consumer = oauth.Consumer( key="OAUTH_CONSUMER_KEY", secret="OAUTH_CONSUMER_SECRET")
client = oauth.Client(consumer)url = ""
body = """job-xml-here"""
resp, content = client.request(url, 'POST', body=body, headers={'Content-Type':'text/xml'})
print respprint content

Some libraries only handle the signature generation piece, in which case the below information will be helpful for you.

Detailed Explanation

For information on generating OAuth signatures, you can read all about the OAuth process on the OAuth standards site.

As an example, we'll walk through making a job posting.  This request is made with a POST request to

The following components should be present in your string to sign.  Each value of the base string needs to be URL escaped (including the equals signs).

POST request
oauth_callback (optional)

Your base string should end up looking something like this:


You then sign this base string with your consumer_secret and an ampersand (&), computing a signature.

Now you take the signature you generated, along with oauth_nonce, oauth_signature_method, oauth_timestamp, oauth_consumer_key, and oauth_version and create an HTTP Authorization header. For this request, that HTTP header would look like:

Authorization: OAuth oauth_nonce="oqwgSYFUD87MHmJJDv7bQqOF2EPnVus7Wkqj5duNByU", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1259178158", oauth_consumer_key="ABCDEFGHIJKLMNOPQRSTUVWXYZ", oauth_signature="TLQXuUzM7omwDbtXimn6bLDvfF8%3D", oauth_version="1.0"

Please note, that the HTTP header is a single header -- not an HTTP header for each component.