Getting Single-user OAuth to Work with the Tumblr API

Album Cover: Life After Death

"While your gun's raisin', mine is blazin'."
The Notorious B.I.G. / I Love the Dough

Posted on January 11, 2013 3:09 PM in Programming
Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

Before I get into the details of how I got single-user OAuth to work with the Tumblr API, I have to make a few comments about Tumblr's API itself. First and foremost, the JSON structure they return is very well done. Compliments end there, though, because they unfortunately make the bar to entry for prospective API consumers far too high.

The first thing you'll notice if you try to build your own Tumblr API-consuming application is that they immediately gloss over the first roadblock to building one: authentication. For example, the whole process of using OAuth to gain access is covered with the following three sentences:

Tumblr supports OAuth 1.0a, accepting parameters via the Authorization header, with the HMAC-SHA1 signature method only. There's probably already an OAuth client library for your platform.

If you've worked with Twitter's OAuth implementation, you'll feel right at home with ours.

Passing the responsibility for documentation off to Twitter, a direct competitor? Really? Granted, Twitter's API documentation sets the gold standard, but at least try!

It's that glossing over of the details that led me to wasting far too much time trying to obtain my OAuth access token and secret key. There is no definitive sample code on their site, but there is a handful of scripts that lead one to believe that the process is straightforward; however, that was not my experience.

What I found when running those scripts is that the final step of requesting the access token would always return a result of "Missing or invalid oauth_verifier." I was using the scripts as-is, only modifying the consumer key and secret, and having absolutely no luck. After contacting Tumblr support and being told my question was "too technical," it was recommended that I post a question in the Google Groups Tumblr API discussion forum. However, that forum requires you to apply to join just in order to ask a question. Like I said previously -- the bar to entry is unnecessarily high.

After contacting the developer behind one of the aforementioned scripts and not receiving a response, I decided to roll up my sleeves again and try to tackle the problem from a different angle. Since I was following the scripts to a tee and not having any luck, and getting an error that doesn't seem to have been run into very often by anyone else (yet), I wondered if maybe the version of my oauth2 module (1.0.2) was newer than the one used by those who had found success with those scripts. Or maybe it didn't support the older 1.0a version of OAuth that the Tumblr API still requires (though Wikipedia claims OAuth 2.0 should be backward-compatible).

Those thoughts led me to a different OAuth module for Python called Rauth. I very quickly tweaked their example code to work with the Tumblr API instead of Twitter's and ran the script. To my dismay, the script raised an exception:

TypeError: session() takes no arguments (1 given)

Because the script working out of the box would just be too easy, right? Upon realizing that the error was being thrown from within the Requests module that Rauth depends on, I was lucky enough to stumble upon a Stack Overflow post mentioning that a recent Requests version change was littered with backward-incompatible changes. It recommended rolling back to version 0.14.2, so I did the following from the command-line (on Linux):

sudo pip install --upgrade requests=0.14.2

I then ran my modified script again, and lo and behold, it ran to completion and printed out my access token and secret.

If you're at all interested in the script I ended up using to do so, you can check it out on Github.


Ryan on January 23, 2013 at 7:51 AM:

I remember similar struggles with Facebook authentication a few years ago. When I tried it again more recently with the graph API, it ended up being really straightforward. Good APIs make a big difference.


Post Comments

If you feel like commenting on the above item, use the form below. Your email address will be used for personal contact reasons only, and will not be shown on this website.


Email Address:



Check this box if you hate spam.