OAuth 1.0 is a protocol that lets applications make authenticated HTTP requests on behalf of a user — without ever exposing the user's credentials. Bruno 3.3.0+ ships with full OAuth 1.0 support covering the complete RFC 5849 specification, including seven signature methods, flexible parameter placement, and native support for Bruno variables.
Table of Contents
OAuth 1.0 is an open authorization protocol that enables a third-party application to access protected resources on behalf of a user without requiring the user to share their password. Instead of passing credentials, every request is cryptographically signed using a combination of the application's consumer keys and the user's access token.
It was widely adopted by APIs like Twitter, Flickr, and many enterprise services before OAuth 2.0 became the norm. Many production APIs still use OAuth 1.0 today — particularly in financial services, government systems, and legacy enterprise integrations. The key advantage over OAuth 2.0 is that signatures provide message integrity, meaning the API can verify that the request body was not tampered with in transit.
OAuth 1.0 uses a three-legged flow involving three parties: the Client (your app), the Resource Owner (the user), and the Server (the API provider). The flow exchanges temporary tokens step by step before granting access to protected resources.
Client
Your App
Resource Owner
The User
Server
API Provider
Request Token
Client sends a signed request to the server's Request Token endpoint using Consumer Key + Consumer Secret. Server returns a temporary oauth_token and oauth_token_secret.
User Authorization
Client redirects the user to the server's Authorization URL, passing the temporary token. The user logs in and grants permission to the client app.
Callback with Verifier
After the user approves, the server redirects back to the client's Callback URL with an oauth_verifier code that proves the user completed authorization.
Access Token Exchange
Client sends the temporary token + verifier to the server's Access Token endpoint. Server returns a long-lived access_token and access_token_secret.
Signed API Requests
Client uses the Consumer Key + Access Token to sign every protected API request. The server validates the signature and returns the protected resource. This is the step Bruno handles for you automatically.
Bruno and OAuth 1.0: When you are testing an API, you typically already have the Access Token and Access Token Secret from a previous OAuth flow. Bruno focuses on Step 5 — signing protected API requests — which is where the Consumer Key, Consumer Secret, Token, and Token Secret fields come in.
OAuth 1.0 authentication is available in Bruno 3.3.0 and above. Make sure you are running the correct version before following this guide.
Minimum version: OAuth 1.0 support requires Bruno 3.3.0+. You can check your installed version from Bruno → Preferences → About in the sidebar bar. Update to the latest release if you are on an older version.
Configuring OAuth 1.0 for a request takes just a few steps inside the Bruno UI.
Open your request in Bruno
Select any existing request from your collection, or create a new one.
Navigate to the Auth tab
Click the Auth tab in the request panel. This is where all authentication methods are configured.
Select OAuth 1.0 from the dropdown
Choose OAuth 1.0 from the auth type dropdown. The configuration fields appear immediately below.
Fill in the required fields and send
Enter your credentials and signature settings. Bruno signs the request automatically when you hit Send.
These four fields are the foundation of every OAuth 1.0 request. They are issued to your application and user by the OAuth provider.
| Field | Description |
|---|---|
Consumer Key |
The application's consumer key issued by the OAuth provider. Identifies your app to the server. |
Consumer Secret |
The application's consumer secret. Used as part of the signing key. Hidden when using RSA methods — the private key replaces it. |
Token |
The access token for the authenticated user, obtained after the user completes the OAuth authorization flow. |
Token Secret |
The access token secret paired with the access token. Combined with the Consumer Secret to form the signing key. |
These fields control how Bruno signs each request and where it places the OAuth parameters.
| Field | Description |
|---|---|
Signature Method |
The algorithm used to sign requests. Choose from HMAC-SHA1, HMAC-SHA256, HMAC-SHA512, RSA-SHA1, RSA-SHA256, RSA-SHA512, or PLAINTEXT. |
Private Key |
PEM-formatted private key for RSA methods. Only visible when an RSA method is selected. Can be pasted inline or provided as a file path. |
Add Params To |
Where OAuth parameters are placed — Header, Query Params, or Body. Defaults to Header. |
Include Body Hash |
When enabled, computes and includes an oauth_body_hash parameter for non-form-encoded request bodies. |
These fields are optional and hidden inside a collapsible section in the UI. Bruno auto-generates most of them. You only need to set them when your API requires specific values or when testing edge cases like timestamp validation or nonce uniqueness.
| Field | Description |
|---|---|
Callback URL |
The oauth_callback URL used during Step 1 of the OAuth flow (temporary credentials request). |
Verifier |
The oauth_verifier value used during Step 4 of the OAuth flow (access token exchange). |
Timestamp |
Override the auto-generated oauth_timestamp. Leave empty and Bruno generates it automatically. |
Nonce |
Override the auto-generated oauth_nonce. Leave empty and Bruno generates a unique value automatically. |
Version |
The oauth_version value sent in the request. Defaults to 1.0. |
Realm |
The realm parameter included in the Authorization header. Required by some providers. |
Bruno variables: All OAuth 1.0 fields support the syntax. Store your consumer key and secrets in environment variables and reference them here to keep credentials out of your collection files.
Bruno supports seven signature methods. The method you choose depends on what your API provider requires. HMAC-SHA1 is the most common, RSA methods are used when the provider issues a private key instead of a shared secret, and PLAINTEXT should only be used over HTTPS.
| Method | Type | Description |
|---|---|---|
HMAC-SHA1 |
HMAC | Signs using HMAC with SHA-1. The most widely supported method across OAuth providers. |
HMAC-SHA256 |
HMAC | Signs using HMAC with SHA-256. Stronger than SHA-1, use when the provider supports it. |
HMAC-SHA512 |
HMAC | Signs using HMAC with SHA-512. Maximum strength for HMAC-based signing. |
RSA-SHA1 |
RSA | Signs using an RSA private key with SHA-1. Consumer Secret is not used — PEM private key required. |
RSA-SHA256 |
RSA | Signs using an RSA private key with SHA-256. Recommended for modern RSA integrations. |
RSA-SHA512 |
RSA | Signs using an RSA private key with SHA-512. Highest strength for RSA-based signing. |
PLAINTEXT |
None | Sends the signing key directly without hashing. No cryptographic protection — only use over HTTPS. |
RSA methods: When using any RSA signature method, you must provide a PEM-formatted private key in the Private Key field. The Consumer Secret field is hidden and not used — the asymmetric private key takes its place in the signing process.
Bruno lets you choose where the OAuth parameters are included in the request via the Add Params To setting.
Authorization header, formatted per RFC 5849. This is the recommended approach for most APIs.application/x-www-form-urlencoded parameters. Requires a form-encoded body.Body placement: This option requires an application/x-www-form-urlencoded body. If your request uses a different content type — such as JSON — selecting Body placement will replace the existing body with OAuth parameters.
OAuth 1.0 can be configured at three levels in Bruno. This lets you define credentials once and share them across many requests without duplicating configuration in every request file.
| Level | How to configure | Scope |
|---|---|---|
| Request | Set OAuth 1.0 directly in the request's Auth tab | Applies to that single request only |
| Folder | Right-click the folder → Settings → Auth tab | All requests in the folder set to Inherit |
| Collection | Collection Settings → Auth tab | All requests in the collection set to Inherit |
When a request's auth mode is set to Inherit, Bruno walks up the hierarchy — checking the parent folder first, then the collection — and uses the first OAuth 1.0 configuration it finds.
Every OAuth 1.0 field accepts variable references using the syntax. Store your credentials in environment variables to keep them out of your collection files and easily switch between environments.
Consumer Key →
Consumer Secret →
Token →
Token Secret → Keeping secrets safe: Mark sensitive variables as Secret in the Bruno environment editor. Secret variables are excluded from Git commits, so your consumer secrets and access token secrets never end up in version control.
OAuth 1.0 is fully supported in the Bruno CLI. When you run collections or requests with bru run, OAuth 1.0 authentication is applied and requests are signed automatically — no extra flags needed.
# Run the full collection with an environment
bru run --env production
# Run a single request file
bru run requests/get-orders.bru --env stagingThis makes OAuth 1.0 testing work seamlessly in CI/CD pipelines. The same collection you test locally in the Bruno UI runs identically on your CI server — credentials are resolved from environment variables and requests are signed automatically on every run.
What Bruno handles for you
You can quickly import and test OAuth 1.0 examples directly inside Bruno using the collection below.
The collection includes ready-to-use OAuth 1.0 request examples, helping you understand the authentication flow, signature generation, and request signing process while testing real-world API integrations.
OAuth 1.0 remains an important authentication standard in financial services, government APIs, and enterprise systems. Bruno 3.3.0+ brings complete RFC 5849 support directly into the UI — no plugins, no workarounds, and no manual signature calculation.
You pick your signature method, enter your credentials via environment variables, choose where parameters go, and Bruno handles the signing automatically — whether you are testing in the UI or running a full collection through the CLI.
Happy testing 🚀