node package manager


Pure-browser OAuth for CORS-supporting sites like OpenStreetMap

A most-of-the-way OAuth 1.0 client implementation in Javascript. Meant to be an improvement over the default linked one because this uses idiomatic Javascript.

If you use this on a server different from the one authenticated against, you'll need to enable and use CORS for cross-origin resources. CORS is not available in IE before version IE10.

Try it out at:

As a file


With browserify

npm install ohauth
var ohauth = require('ohauth');
  • OpenStreetMap full & tested with iD
  • GitHub - partial, full flow is not possible because access_token API is not CORS-enabled
// generates an oauth-friendly timestamp 
// generates an oauth-friendly nonce 
// generate a signature for an oauth request 
ohauth.signature("myOauthSecret", "myTokenSecret", "percent&encoded&base&string");
// make an oauth request. 
ohauth.xhr(method, url, auth, data, options, callback);
// options can be a header like 
{ header: { 'Content-Type': 'text/xml' } }
ohauth.xhr('POST', url, o, null, {}, function(xhr) {
    // xmlhttprequest object 
// generate a querystring from an object 
ohauth.qsString({ foo: 'bar' });
// foo=bar 
// generate an object from a querystring 
// { foo: 'bar' } 
// create a function holding configuration 
var auth = ohauth.headerGenerator({
    consumer_key: '...',
    consumer_secret: '...'
// pass just the data to produce the OAuth header with optional 
// POST data (as long as it'll be form-urlencoded in the request) 
var header = auth('GET', 'http://.../?a=1&b=2', { c: 3, d: 4 });
// or pass the POST data as an form-urlencoded 
var header = auth('GET', 'http://.../?a=1&b=2', 'c=3&d=4');