Required Access Token authorization headers


#1

After trial and error I whittled down my authorization header to what seems absolutely necessary to successfully obtain oauth_tokens by POSTing the following (where ‘some string’ is an actual value):

Authorization: OAuth oauth_token=“some string”,
oauth_signature_method=“HMAC-SHA1”,
oauth_timestamp=“1421882817”,
oauth_verifier=“some string”

However in the documentation they provide the following example:

Authorization: OAuth oauth_consumer_key=“cChZNFj6T5R0TigYB9yd1w”,
oauth_nonce=“a9900fe68e2573b27a37f10fbad6a755”,
oauth_signature=“39cipBtIOHEEnybAR4sATQTpl2I%3D”,
oauth_signature_method=“HMAC-SHA1”,
oauth_timestamp=“1318467427”,
oauth_token=“NPcudxy0yU5T3tBzho7iCotZ3cnetKwcTIRlX0iwRl0”,
oauth_version=“1.0”

Why am I able to successfully obtain oauth_tokens when sending in a much shorter authorization header?

Specifically, the docs state: ‘the request token is also passed in the oauth_token portion of the header, but this will have been added by the signing process’.

But I’m not including an oauth_signature in my header so how can this be?