Node.js OAuth1.0 and OAuth2.0: Twitter API v1.1 Examples

Recently we had to work on modification to accommodate Twitter API v1.1. The main difference between Twitter API v1.1 and, soon to be deprecated, Twitter API v1.0 is that most of the REST API endpoints now require user or application context. In other words, each call needs to be performed via OAuth 1.0A or OAuth 2.0 authentication.

Node.js OAuth

Node.js OAuth

At Storify we run everything on Node.js so it was natural that we used oauth module by Ciaran Jessup: NPM and GitHub. It’s mature and supports all the needed functionality but lacks any kind of examples and/or interface documentation.

Here are the examples of calling Twitter API v1.1, and a list of methods. I hope that nobody will have to dig through the oauth module source code anymore!

OAuth 1.0

Let start with a good old OAuth 1.0A. You’ll need four values to make this type of a request to Twitter API v1.1 (or any other service):

  1. Your Twitter application key, a.k.a., consumer key
  2. Your Twitter secret key
  3. User token for your app
  4. User secret for your app

All four of them can be obtained for your own apps at In case that the user is not youself, you’ll need to perform 3-legged OAuth, or Sign in with Twitter, or something else.

Next we create oauth object with parameters, and call get() function to fetch a secured resource. Behind the scene get() function constructs unique values for the request header — Authorization header. The method encrypts URL, timestamp, application and other information in a signature. So the same header won’t work for another URL or after a specific time window.

var OAuth = require('OAuth');
var oauth = new OAuth.OAuth(
      'your Twitter application consumer key',
      'your Twitter application secret',
      'your user token for this app', 
      //you can get it at for your own apps
      'your user secret for this app', 
      //you can get it at for your own apps
      function (e, data, res){
        if (e) console.error(e);        

OAuth Echo

OAuth Echo is similar to OAuth 1.0. If you’re a Delegator (service to which requests to Service Provider are delegated by Consumer) all you need to do is just pass the value of x-verify-credentials-authorization header to the Service Provider in Authorization header. Twitter has a good graphics on OAuth Echo.

There is OAuthEcho object which inherits must of its methods from normal OAuth class. In case if you want to write Consumer code (or for functional tests, in our case Storify is the delegator) and you need x-verify-credentials-authorization/Authorization header values, there is a authHeader method. If we look at it, we can easily reconstruct the headers with internal methods of oauth module such as _prepareParameters() and _buildAuthorizationHeaders(). Here is a function that will give us required values based on URL (remember that URL is a part of Authorization header):

  function getEchoAuth(url) { 
  //helper to construct echo/oauth headers from URL
    var oauth = new OAuth('',
      //test app token
      //test app secret
    var orderedParams = oauth._prepareParameters(
      "1111111111-AAAAAA", //test user token
    "AAAAAAAAAAAAAAAAAAAAAAA", //test user secret
    return oauth._buildAuthorizationHeaders(orderedParams);

From your consumer code you can maker request with superagent or other http client library (e.g., node.js core http module’s http.request):

var request = require('super agent');'your delegator api url')
  //your json data


OAuth 2.0 is a breeze to use comparing to the other authentication methods. Some argue that it’s not as secure, so make sure that you use SSL and HTTPS for all requests.

 var OAuth2 = OAuth.OAuth2;    
 var twitterConsumerKey = 'your key';
 var twitterConsumerSecret = 'your secret';
 var oauth2 = new OAuth2(
   function (e, access_token, refresh_token, results){
     console.log('bearer: ',access_token);
     oauth2.get('protected url', 
       access_token, function(e,data,res) {
         if (e) return callback(e, null);
         if (res.statusCode!=200) 
           return callback(new Error(
             'OAuth2 request failed: '+
         try {
           data = JSON.parse(data);        
         catch (e){
           return callback(e, null);
         return callback(e, data);

Please note the JSON.parse() function, oauth module returns string, not a JavaScript object.

Consumers of OAuth2 don’t need to fetch the bearer/access token for every request. It’s okay to do it once and save value in the database. Therefore, we can make requests to protected resources (i.e. Twitter API v.1.1) with only one secret password. For more information check out Twitter application only auth.

Node.js oauth API

Node.js oauth OAuth



  • requestUrl
  • accessUrl
  • consumerKey
  • consumerSecret
  • version
  • authorize_callback
  • signatureMethod
  • nonceSize
  • customHeaders

Node.js oauth OAuthEcho



Reading blog posts is good, but watching video courses is even better because they are more engaging.

A lot of developers complained that there is a lack of affordable quality video material on Node. It's distracting to watch to YouTube videos and insane to pay $500 for a Node video course!

Go check out Node University which has FREE video courses on Node:

[End of sidenote]


  • realm
  • verify_credentials
  • consumerKey
  • consumerSecret
  • version
  • signatureMethod
  • nonceSize
  • customHeaders

OAuthEcho sharers the same methods as OAuth

Node.js oauth Methods

Secure HTTP request methods for OAuth and OAuthEcho classes:



  • url
  • oauth_token
  • oauth_token_secret
  • callback



  • url
  • oauth_token
  • oauth_token_secret
  • callback



  • url
  • oauth_token
  • oauth_token_secret
  • post_body
  • post_content_type
  • callback


  • url
  • oauth_token
  • oauth_token_secret
  • post_body
  • post_content_type
  • callback

Node.js oauth OAuth2

OAuth2 Class



  • clientId
  • clientSecret
  • baseSite
  • authorizePath
  • accessTokenPath
  • customHeaders



  • code
  • params
  • callback



  • url
  • access_token
  • callback

The authors of node.js oauth did a great job but currently there are 32 open pull requests (mine is one of them) and it makes me sad. Please let them know that we care about improving Node.js ecosystem of modules and developers community!

UPDATE: Pull request was successfully merged!

Useful Twitter API v1.1 Resources

Just because they are vast and not always easy to find.


Best Regards,
Azat Mardan
Microsoft MVP | Book and Course Author | Software Engineering Leader
Azat Mardan avatar
To contact Azat, the main author of this blog, submit the contact form or schedule a call at and we can go over your bugs, questions and career.

22 thoughts on “Node.js OAuth1.0 and OAuth2.0: Twitter API v1.1 Examples

  1. Azat Post author

    Some developers think OAuth 1 is more secure than OAuth 2 so please do your own research. OAuth 1 or OAuth 2 will work okay with your app because after the authentication you’ll be using web sessions, JWT or some session techniques, not OAuth.

  2. Hannan

    Very good article of its kind. One question that I would like to ask here:
    I have a Node.js server implemented with PassportJS (Local Strategry) OAuth 1.0, which is session based OAuth version.
    I have a ReactJS application which will communicate with our this Node.js server. Which is the most suitable method of implementing OAuth authentication? I feel OAuth2.0 is more secure and better?

    In my case, I have a HTML login page, when user does login, the Node.js server validate the credentials and if valid it returns /redirect user to the members section (which is build in ReactJS). So this way my ReactJS application is also secure and only members can access it. The reactJS application has APIs which communicate to my Node.js server (if session is valid the result will return). Here, I wonder if it is better to implement OAuth2.0 which is token based and most modern and secure method, through which modern RestAPIs are implemented. What do you recommend?

  3. Pingback: Twitter API with JavaScript - Strange Milk

  4. Budy K

    Thanks for this example…..I’m trying to build Android App and iOs . server side is Node.js …should I apply API key, secret,realm etec?

  5. MarB

    Hi, great article.

    I’m trying to send result of user timeline to Angular with OAuth 1. I can log timeline on backend ok, but I can’t return the JSON to Angular controller.

    I tried “res.send(data)” which returns: TypeError: Object # has no method ‘send’

    Patience please, I’m new to javascript, any help appreciated. Thanks

  6. Azat Post author

    Hi Ellis,

    Thanks for your questions. Others might wonder about it as well.

    Protected url is basically a placeholder for URL that you try to get access to (usually on behalf of your users), e.g., getting Twitter user profile information. Most service providers’ APIs require OAuth to use their API endpoints which makes them protected.

  7. EllisGL

    Stupid question probably, but I noticed that you have ‘protected url’ in this code, and after tracing some stuff down, what is the ‘protected url’ supposed to be?

    I’m also trying to use to authenticate users, not myself – which I’m not sure if this code does that, am I wrong?

  8. Chris B

    Here’s a App Auth (OA2) example I wanted to see what was behind the scenes without the libraries..

    function T(cons_key, cons_secret){
    return {
    r: require(‘request’),
    tok: null,
    api: function(name, cb){
    var th = this;
    if(!this.tok){{url: ‘’,
    headers: {Authorization: ‘Basic ‘ + new Buffer(cons_key +’:’+ cons_secret).toString(‘base64’)},
    form: {grant_type: ‘client_credentials’}
    }, function(e,r,b){th.tok=JSON.parse(b).access_token; th.api(name, cb)});
    url: ‘’,
    headers: {Authorization: ‘Bearer ‘ + th.tok}
    }, function(e,r,b){cb(JSON.parse(b))})
    var tw = T(‘consumer_key’, ‘consumer_secret’);
    tw.api(‘search/tweets.json?q=javascript’, function(r){

  9. Aaron

    On OAuth2, are we supposed to use exports.OAuth2.prototype._request as public api? The REST convenience methods are curiously missing. As are comments no _request. I would love to contribute. Sad about pull requests being ignored.

  10. Ciaran

    Thanks for this, looks like a great resource, would be great to fold some of these examples back into the module’s wiki pages ?

  11. Ciaran

    Thanks for this, some good resources here, would be even better to fold them back into the wiki on the oauth module site ;)

  12. dot

    Oh sorry my bad, i was googling around all day trying to find out to do oAuth for my app and also trying to retrieve a user’s twitter home feed, it totally passed by me that you are using node.js. I am fairly new to this, so to include node.js how would I do this? Would i just include node.js in a javascript and include it in my html?Please let me know. I appreciate your help, thanks.

  13. dot

    Now I get OAuth is undefined. Here is my code, will u b able to identify what I am doing wrong? Also twitter doesn’t support OAuth2.0 yet officially does it?

    Twitter JQM

    var OAuth2 = null;

    function load(){

    alert(‘page is loaded’);
    OAuth2 = OAuth.OAuth2;

    var twitterConsumerKey = ‘5BX4tmZJ47hPUa5zOESIog’;
    var twitterConsumerSecret = ‘w1vJDxxHZB4IL4inkIWLA18InRy74gaMVflzKChbN0’;
    var oauth2 = new OAuth2( twitterconsumerKey, twitterConsumerSecret, ‘’, null, ‘oauth2/token’, null);

    oauth2.getOAuthAccessToken( ”, {‘grant_type’:’client_credentials’}, function (e, access_token, refresh_token, results){
    console.log(‘bearer: ‘,access_token);
    oauth2.get(‘protected url’, access_token, function(e,data,res) {
    if (e) return callback(e, null);
    if (res.statusCode!=200) return callback(new Error( ‘OAuth2 request failed: ‘+ res.statusCode),null);
    try { data = JSON.parse(data); } catch (e){ return callback(e, null); } return callback(e, data); }); });

  14. DOT


    I am trying the oAuth 2 code for my mobile web app using javascript.
    but i get the OAuth2 is undefined error. Why would that be?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.