Hey there! Since you’ve already tackled OAuth integrations for Instagram and LinkedIn, you’ll find this straightforward. Let’s break down both OAuth 1.0a (Tumblr’s fully supported, go-to flow) and OAuth 2.0 (limited use cases) step by step—no SDK required, just raw HTTP requests.

This is the flow you’ll want for full access to Tumblr’s API. It’s a bit more involved than OAuth 2.0, but you’re already familiar with the core OAuth concepts, so you’ll pick it up fast.

Step 1: Grab Your App Credentials #

First, head to the Tumblr Developer Portal to register your app. You’ll get two critical values:

• consumer_key (your app’s public identifier)
• consumer_secret (your app’s private key—keep this safe, never expose it client-side)
  Pro tip: Make sure you set a valid callback URL in your app settings. This has to match exactly what you use in later requests, or Tumblr will reject your calls outright.

Step 2: Request a Temporary Request Token #

Send a POST request to https://www.tumblr.com/oauth/request_token. This is where you’ll generate your first OAuth signature using HMAC-SHA1.

Required OAuth Parameters (all go in the Authorization header): #

• oauth_consumer_key: Your app’s consumer key
• oauth_nonce: A random, unique string (generate a new one for every request)
• oauth_timestamp: Current Unix timestamp (seconds since epoch)
• oauth_signature_method: HMAC-SHA1
• oauth_version: 1.0
• oauth_callback: Your registered callback URL (URL-encoded)

How to Generate the Signature: #

1. Create a base string by concatenating:
   • Uppercase request method (POST)
   • URL-encoded request URL (https%3A%2F%2Fwww.tumblr.com%2Foauth%2Frequest_token)
   • URL-encoded, alphabetically sorted list of all OAuth parameters (format: key=value&key=value...)
2. Use {consumer_secret}& as the signing key (note the trailing &—since we don’t have a token secret yet, it stays empty)
3. HMAC-SHA1 encrypt the base string with the key, then base64-encode the result to get oauth_signature

Example curl Request (fill in your values): #

curl --request POST "https://www.tumblr.com/oauth/request_token" \
--header "Authorization: OAuth oauth_consumer_key='YOUR_CONSUMER_KEY', oauth_nonce='RANDOM_UNIQUE_STRING', oauth_timestamp='1620000000', oauth_signature_method='HMAC-SHA1', oauth_version='1.0', oauth_callback='URL_ENCODED_CALLBACK', oauth_signature='GENERATED_SIGNATURE'"

If successful, you’ll get a response like:
oauth_token=REQUEST_TOKEN&oauth_token_secret=REQUEST_TOKEN_SECRET&oauth_callback_confirmed=true

Step 3: Redirect the User to Authorize Your App #

Take the oauth_token from the previous step and redirect the user to:
https://www.tumblr.com/oauth/authorize?oauth_token=YOUR_REQUEST_TOKEN

The user will log into Tumblr and grant your app permissions. Once they do, Tumblr will redirect them back to your callback URL with two query parameters:

• oauth_token: Same as the request token (to confirm validity)
• oauth_verifier: A one-time code you’ll need for the next step

Step 4: Exchange for a Permanent Access Token #

Send another POST request to https://www.tumblr.com/oauth/access_token, this time using the request token secret from Step 2 to generate the signature.

New OAuth Parameters to Add: #

• oauth_token: The request token from Step 2
• oauth_verifier: The code from your callback URL

Signature Key for This Request: #

{consumer_secret}&{request_token_secret} (now you include the request token secret after the &)

If all goes well, you’ll get your final access credentials:
oauth_token=FINAL_ACCESS_TOKEN&oauth_token_secret=FINAL_ACCESS_TOKEN_SECRET

Use these two values for all future API requests—every request will need a new HMAC-SHA1 signature using these tokens.

Tumblr’s OAuth 2.0 implementation is more restricted, mainly for read-only operations or simple third-party login. It’s simpler if your use case fits.

Step 1: Get Client Credentials #

Same as OAuth 1.0a—register your app to get client_id and client_secret, and set your callback URL.

Step 2: Redirect User to Authorization Page #

Send the user to:

https://www.tumblr.com/oauth2/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_CALLBACK_URL&response_type=code&scope=YOUR_SCOPES

• Scopes: Use space-separated values like basic (profile access), read (read blog data), or write (post content). Check Tumblr’s docs for available scopes.

After authorization, Tumblr redirects back to your callback URL with a code query parameter.

Step 3: Exchange Code for Access Token #

Send a POST request to https://www.tumblr.com/oauth2/token with these form-encoded parameters:

• grant_type: authorization_code
• code: The authorization code from your callback
• redirect_uri: Your registered callback URL
• client_id: Your app’s client ID
• client_secret: Your app’s client secret

Example curl request:

curl --request POST "https://www.tumblr.com/oauth2/token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data "grant_type=authorization_code&code=AUTH_CODE&redirect_uri=YOUR_CALLBACK&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET"

Successful response will include:

{
  "access_token": "YOUR_BEARER_TOKEN",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "basic read"
}

For future API requests, add this header:
Authorization: Bearer YOUR_BEARER_TOKEN

• OAuth 1.0a is required for full API access—OAuth 2.0 doesn’t support all endpoints (like posting media or modifying blog settings).
• For OAuth 1.0a, always sort your OAuth parameters alphabetically when generating the base string—this is a common source of signature errors.
• Double-check your callback URL: it must match exactly (HTTP/HTTPS, path, and all) between your app settings and request parameters.

内容的提问来源于stack exchange，提问作者Zafar Ahmad