OAuth Echo + Realm



The current OAuth Echo documentation at:

No longer shows that realm=“http://api.twitter.com” as being necessary to send in the X-Verify-Credentials-Authorization header. From a media sharing standpoint, apps which omit this in their call to delagetor apps tend to either have success or error responses from Twitter. For example, one app has not been including this and have been getting success responses. When this was omitted to our delegator app which we then pass to Twitter results in an authorization error.

Is this still a requirement or has it be omitted on purpose?



Bumping this up as it seems rather important and wondering if its just an omission in the documentation.


The realm parameter has never been absolutely required in these requests – some OAuth libraries use the field and others do not. We verify that the header is syntactically correct and if a realm is provided I believe we also validate that it’s contextually correct – but its presence is not required. There are definitely implementations of OAuth Echo out there that are fragile for other reasons though – such as not tolerating arbitrary parameters being added to the verify credentials URL or variance of API version and so on. As long as the signature and what’s described by the provided Authorization header match the specified verify credentials request and the credentials are valid, you should find this remaining functional.


It seems like some photo sharing services require it in their API upload endpoint but whether they receive the realm parameter or not in the header, it still validates. While others will receive a failed authentication from Twitter’s API if its not present.

But this makes sense. My original understanding of the early oauth echo docs were that it was included/required and in a specific order.

Thanks for quick response.