OAuth is a simple standard for allowing an end user to authorize an application to access a third party service on behalf of said user.

Access is authorized on two levels by the third party as the application needs to be identified as does the the user on behalf of which it is acting.

Application authorization

The application obtains through an out-of-band channel, typically a web form at the third party service where the application developer submits an application for access, the following pair of credentials:

1. Consumer key (a.k.a. API key, public key, application key). Transmitted to third party as oauth_consumer_key.
2. Consumer secret (a.k.a API secret, private key, consumer secret key, application secret)

The consumer secret is never directly transmitted to the the third party, as it is used to calculate a signature for requests.

User authorization

The user typically authorizes the application to access the service using a 3-Legged OAuth process whereupon its completion the application obtains an access token consisting of:

1. Token (a.k.a. access token). Transmitted to third party as oauth_token.
2. Secret (a.k.a. access token secret, oauth token secret).

The secret is never directly transmitted to the the third party, as it is used to calculate a signature for requests.

Access

OAuth authorized http requests to the third party adds several OAuth specific parameters the most important of which are oauth_consumer_key, oauth_token and oauth_signature. The value of  oauth_signature is a SHA1 calculated hash of the consumer secret, access token secret and all the parameters sent in the request. OAuth parameters can be sent as standard URL parameters or as the value of the Authorization http header.