How to implement Oauth 1.0a in K6

I have a curl Oauth 1.0a request:

curl --location --request POST ‘https://dev/api/login
–header ‘Content-Type: application/consumer-key+json’
–header ‘Authorization: OAuth oauth_consumer_key=“42a3be6e77dc41d6bfeab5229b172b53”,oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“1504127763”,oauth_nonce=“6ULC6xT4Fxi”,oauth_version=“1.0”,oauth_signature=“0dr9PXF1mkkyDD%2BWehj1%2FYsouVY%3D”’
–data-raw ‘{
“key”: “42a3be6e77dc41d6bfeab5229b172b53”,
“secret”: “6437eb48-6828-2222-a923-1681be663d3e”

My scripts:

import http from 'k6/http';
import { check } from 'k6';
import { crypto } from "k6/crypto";

export let options = {
      vus: 1,
      duration: '1s',

export default function () {
    var url = `https://dev/api/login`;
    var requestBody =
        "key": "42a3be6e77dc41d6bfeab5229b172b53",
        "secret": "6437eb48-6828-2222-a923-1681be663d3e"
    let headers = {
        'headers': {
            'Content-Type': 'application/consumer-key+json',
            'Authorization': `OAuth oauth_consumer_key="42a3be6e77dc41d6bfeab5229b172b53",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1504127763",oauth_nonce="6ULC6xT4Fxi",oauth_version="1.0",oauth_signature="0dr9PXF1mkkyDD%2BWehj1%2FYsouVY%3D"`

    let res =, requestBody, headers);
    check(res, {
        'Consumer login: is status 200': (r) => r.status === 200,


Problem statement: I am getting unauthorized when running my script. It seems that oauth_signature is incorrect. There is no documentation for Outh 1.0 but there is for 2.0 including an example. I am stuck. I do not how to structure the code and generate oauth signature and use it.

I am confused about HMAC and SHA1. Do I need to use them together? How to use them?

Hi @aakash.gupta,

the problem with your above code is that you are providing with a body that is an object and k6 will at that point make it into a mutlipart body, instead of a JSON as you apparently expect..

In order to fix it just use JSON.stringify(requestBody) instead of requestBody in the call.

I am not familiar with how the OAuth tokens are generated but given the name I expect it is HMAC with SHA1, see this comment from me for some example with HMAC and SHA256.

Whether there are more steps in OAuth1, I don’t know :man_shrugging: . You will have to see what needs to be done and implement in js for k6, I would recommend checking out some other implementation if you don’t want to read the RFC.