Home

Authentication for Desktop Clients and Flash/AIR Apps

Enable the Subscriptions block here!

Desktop clients usually want to authenticate users and obtain security tokens that they can use to access other Services on behalf of the users. A typical example is an desktop instant messaging client trying to authenticate a user and connect to the user's Instant messaging service to send and receive messages. AOL OpenAuth APIs provide a new method called "clientLogin", to allow clients to authenticate AOL/AIM/ICQ users securely and obtain an authentication token that can be used to access AOL Open Services like WebAIM.

As illustrated in the diagram below, this can be done using AOL OpenAuth Service in 2 steps - authenticate the user using the "clientLogin" request and then make a Service Request on behalf of the user using the security token obtained from the "clientLogin" request.

Login for clients

Building a DeskTop Client using "clientLogin" method involves implementing the following three easy steps:

  1. Use "clientLogin" to verify user login credentials and obtain token & session Secret.
  2. Using the user's password (collected as part of step 1) as key, generate a hmac_sha256 of the session secret and base64 encode it - we call it SessionKey
    • Session Key = base64_encode[HMAC-SHA256(key, data)] where key is the user's password and data is the session secret obtained from clientLogin response.
    • Please make sure the Session Key string value (base64 encoded value) is properly padded with '=' sign.
    • Example: if a user's password is "test" and the session secret from OpenAuth 'clientLogin' response is "Olpq7NboSbO0gxym", then the Session Key would be base64_encode[HMAC-SHA256("test", "Olpq7NboSbO0gxym")] = "pgBumyiK1xwvjLjcDLRCW7/LySPp+DUXQ3PpDU3c84w="
  3. Using the Session Key sign all the Open Services requests (the only services that supports clientLogin tokens at this point are WIM and OpenMail).

The flow diagram below illustrates the above 3 steps:

Occasionally some AOL Open Services might want to get the user's consent (permission) to allow your client access the user's data. This involves implementing support for handling 'getConsent' and 'getCaptcha' methods to collect user's consent using a Captcha image and pass the information back to OpenAuth.

API Reference

Appendix

clientLogin

  • HTTP Method
    • POST
      (NOTE: All request parameters must passed in the POST body only, and not in the query string)
  • HTTP Header
    • X-Forwarded-For (required if proxying clientLogin requests)
      • Clients/Servers using 'clientLogin' must pass the peer-ip from the requests they receive from their clients as X-Forwarded-For header in the 'clientLogin' request, so OpenAuth can enforce rate limits on the correct client IP. If the incoming request already has an X-Forwarded-For header, you should append peer-ip to it before sending it as X-Forwarded-For header in OpenAuth requests.
  • Arguments
    • devId (required)
      • your developer Id required to access AOL APIs
    • f (required)
      • the required format of the response (json or xml or qs)
    • s (required)
      • the loginID of the source user
    • language (optional)
      • the required language and locale of the error/status messages. This is always in "<lang>-<locale>" format. The lang is the 2 letter language code for I18N (default: en) and the locale is the 2 letter Locale code for I18N (default: us). If not passed in, the language will be extracted from HTTP header (Accept-Language) and if that is not available will default to "en-us". Check below for our current supported language list.
    • tokenType (optional)
      • "shortterm" (session based token - max life 24 hrs - default) or "longterm" (valid for 1 year) or any non-negative long value representing the required Token validity in seconds
    • c (optional)
      • the callback method to use when using jsonp convention (argument f = json)
    • r (optional)
      • an URL safe string to be used as requestId - when passed it is returned back in the response
    • pwd (optional)
      • User's Password when initiating the request for the first time or when Password challenge is returned in previous request
    • securid (optional)
      • User's SecurId when SecurId challenge is returned in previous request
    • asqAnswer (optional)
      • AOL Account Security Question's Answer when ASQ challenge is returned in previous request
    • word (optional)
      • Captcha Word when Captcha challenge is returned in previous request
    • context (optional)
      • Authentication Context returned in previous directLogin request when additional challenges are required
    • authMethod (optional)
      • Authentication Method required in addition to PWD (default)
      • Additional authMethod supported in this phase is "ASQ" (Account Security Question)
    • idType (optional)
      • You can pass value as "ICQ" to make sure you are authenticating an ICQ user (both numeric id and email alias)
      • No need to pass if you are just authenticating AOL/AIM users and even ICQ numeric ids only (not ICQ email aliases)
    • rlToken (optional)
      • Rate Limit Token obtained via a previous directLogin call with successful captcha challenge for the same user ('s' must match)
      • If user loginId doesn't match, rlToken would be ignored
    • clientName (optional)
      • An optional name of the Client
    • clientVersion (optional)
      • An optional version of the Client
  • Response Format

The following data elements would be returned in the response

  • token -- upon successful autentication
    • expiresIn -- Expiry time in secs
    • a - Authentication Token that can be used to invoke other services
  • challenge -- when additional challenges are required to complete authentication
    • info (optional) -- ASQ Question in case of ASQ Challenge or Image url in case of Captcha challenge
    • context -- Authentication context to be returned on subsquent challenge responses
  • rlToken -- Rate Limit token returned when user successful validates Captcha word and provides valid login credentials (loginId & password)
  • sessionSecret -- Session Secret used to generate a Session Key used for signing subsequent AOL/AIM Open Services requests (WebAIM).
  • hostTime -- OpenAuth Server current time in seconds since epoch format. Clients can use this to sync their clocks when making other AOL Open Service's calls with "ts" (timestamp) parameter.
  • The XML standard wrapper: 
       <response>

            <statusCode />
            <statusText />
            <statusDetailCode />
            <requestId />
            <data>
                 ....
            </data>

       </response>
  • The JSON standard wrapper 
   {"response":{
        "statusCode":""
        "statusText":"",
        "statusDetailCode":""

        "requestId":""
        "data":{
              ....
        } 
   }}
  • Query String

The following parameters will be returned back as name-value string in URL Query String format (name=value&name=value&...) 

        statusCode
        statusText
        statusDetailCode
        requestId
        token_expiresIn
        token_a
        challenge_info
        challenge_context
        rlToken
        sessionSecret
        hostTime
  • Error Codes
    • 200 - Success (Ok)
    • 330 - More authentication required
    • 400 - Invalid request
    • 401 - Unauthorized (authentication required)
    • 405 - Method not allowed
    • 408 - Request timeout
    • 430 - Source rate limit reached
    • 440 - Invalid Key
    • 441 - Key usage limit reached
    • 442 - Key invalid IP
    • 443 - Key used from unauthorized site
    • 460 - Missing required parameter
    • 461 - Source required
    • 462 - Parameter error
    • 500 - Generic Server Error
  • Status DetailCodes (statusDetailCode)
    • 3xxx - Authentication/Challenges Related errors
      • 3011 - Password-LoginId Required/Invalid
      • 3012 - SecurId Required/Invalid
      • 3013 - SecurId Next Token Required
      • 3014 - ASQ Required/Invalid
      • 3015 - Captcha Required/Invalid
      • 3016 - AOLKey Required
      • 3017 - Rights/Consent Required
      • 3018 - TOS/Privacy Policy Accept Required (this is not same as Rights/Consent - this is for future extension)
      • 3019 - Account Not allowed
      • 3020 - Email not confirmed
      • 3021 - Account needs to be updated (send user to AOL)
  • Sample Response
    • XML 
     <response xmlns="https://api.login.aol.com">
         <statusCode>200</statusCode>

         <statusText>OK</statusText>
         <data>
             <token>
                  <expiresIn>86400</expiresIn>
                  <a>%2FwEAAAAAZ%2F......</a>

             </token>
             <sessionSecret>AEqD4Tn4FwOwBMV7</sessionSecret> 
             <hostTime>1204563923</hostTime> 
         </data>
     </response>
  • json 
         {"response":{
              "statusCode":200
              "statusText":"OK",
              "data":{
                   "sessionSecret":"GaPSXTfpvXILlNn6",
                   "hostTime":1204563933, 
                   "token":{
                       "expiresIn":86400,
                       "a":"%2FwEAAAAAEil22m......"

                   } 
              }
         }}
  • qs 
         statusCode=200&statusText=OK&token_a=.....&token_expiresIn=86400&sessionSecret=....&hostTime=1204563933

getConsent

  • Description

This method should only be used to obtain the user's consent (permission) to access an AOL/AIM Service on behalf of the user, when instructed to by the AOL/AIM Services with status code '340' along with a redirect URL.

For client logins (token obtained via 'clientLogin' methods), the client must do a "direct" request to the getConsent Url along with the required parameters as specified below. The getConsent Url returned by the AOL/AIM Services contains only the "enc" parameter, so you must add the other required parameters specified below.

  • URL
    • http(s)://api.screenname.aol.com/auth/getConsent
  • HTTP Method
    • GET or POST
  • Arguments
    • devId (required)
      • your developer Id required to access AOL APIs
    • f (required)
      • the required format of the response (json or xml or qs)
    • enc (required)
      • The encrypted token returned by the previous call to OpenAuth or AOL/AIM Open Service as part of the 'redirectUrl'. Since the getConsent url already contains the 'enc' parameter, you don't need to manually add it.
    • language (optional)
      • the required language and locale of the error/status messages. This is always in "<lang>-<locale>" format. The lang is the 2 letter language code for I18N (default: en) and the locale is the 2 letter Locale code for I18N (default: us). If not passed in, the language will be extracted from HTTP header (Accept-Language) and if that is not available will default to "en-us". Check below for our current supported language list.
    • c (optional)
      • the callback method to use when using jsonp convention (argument f = json)
    • r (optional)
      • an URL safe string to be used as requestId - when passed it is returned back in the response
    • context (optional)
      • Context returned in previous getConsent request when additional challenges are required
    • word (optional)
      • Captcha Word when Captcha challenge is returned in previous request
  • Response Format

The following data elements will be returned in the response. If a 'challenge' is returned, the application must present the information to the user along with the captcha image/audio. Once the user enters the captcha word, send the 'getConsent' request again with the required parameters along with the user entered captcha word and context.

  • statusText -- contains the message that needs to be displayed to the user regarding the permission that is being granted to the Consumer application
  • challenge -- when user needs to be captcha challenged to get permission to access protected content
    • info -- Free form text to display to the user
    • context -- challenge context to be returned on subsquent getConsent requests
    • url -- Url for obtaining Captcha (Refer to getCaptcha for more information)
  • The XML standard wrapper: 
       <response>

            <statusCode />
            <statusText />
            <statusDetailCode />
            <requestId />
            <data>
                 ....
            </data>

       </response>
  • The JSON standard wrapper 
   {"response":{
        "statusCode":""
        "statusText":"",
        "statusDetailCode":""

        "requestId":""
        "data":{
              ....
        } 
   }}
  • Query String

The following parameters will be returned back as name-value string in URL Query String format (name=value&name=value&...) 

         statusCode
         statusText
         statusDetailCode
         requestId
         challenge_info
         challenge_context
  • Error Codes
    • 200 - Success (Ok)
    • 330 - More authentication required
    • 400 - Invalid request
    • 401 - Unauthorized (authentication required)
    • 405 - Method not allowed
    • 408 - Request timeout
    • 430 - Source rate limit reached
    • 440 - Invalid Key
    • 441 - Key usage limit reached
    • 442 - Key invalid IP
    • 443 - Key used from unauthorized site
    • 460 - Missing required parameter
    • 461 - Source required
    • 462 - Parameter error
    • 500 - Generic Server Error
  • Status DetailCodes (statusDetailCode)
    • 3xxx - Authentication/Challenges Related errors
      • 3015 - Captcha Required/Invalid
  • Sample Response
  • XML 
         <response xmlns="https://api.login.aol.com">
              <statusCode>200</statusCode>

              <statusText>OK</statusText>
         </response>
  • json 
         {"response":{
             "statusCode":200
             "statusText":"OK",
         }
  • qs 
         statusCode=200&statusText=OK

getCaptcha

  • Description
    • This method can be used to obtain a Captcha Image or Audio file for a given authentication context. The Captcha Image or Audio files are generally required to challenge the user upon receiving a Captcha Challenge from "directLogin" method.
  • URL
  • HTTP Method
    • GET
  • Arguments
    • devId (required)
      • your developer id required to access AOL APIs
    • f (optional)
      • the required format of the response
      • Supported formats:
        • image (Content-Type: image/jpeg) (default)
        • audio (Content-Type: audio/mpeg)
    • language (optional)
      • the required language and locale of the error/status messages. This is always in "<lang>-<locale>" format. The lang is the 2 letter language code for I18N (default: en) and the locale is the 2 letter Locale code for I18N (default: us). If not passed in, the language will be extracted from HTTP header (Accept-Language) and if that is not available will default to "en-us".
    • context (required)
      • Authentication Context returned in previous directLogin request when additional challenges are required
  • Response Format
    • Response will be either image or audio content based on the requested format. Standard HTTP status codes will be used to indicate errors.
    • HTTP Response Codes
      • 200 - Success (Ok)
      • 302 - Redirect to SSL
      • 400 - Bad Request (invalid context)
      • 415 - Unsupported Media Type
      • 500 - Internal Server Error
      • 503 - Service Unavailable

getInfo

  • Description

Validates the Authentication Token issued by clientLogin method and returns user's loginId, displayName and the authentication time stamp. This method also provides a way (see 'reqRights' argument below) for the client to obtain user's consent and manage it securely.

  • URL
    • http(s)://api.screenname.aol.com/auth/getInfo
  • HTTP Method
    • GET or POST
  • Arguments
    • devId (required)
      • your developer Id required to access AOL APIs
    • f (required)
      • the required format of the response (json or xml or qs)
    • language (optional)
      • the required language and locale of the error/status messages. This is always in "<lang>-<locale>" format. The lang is the 2 letter language code for I18N (default: en) and the locale is the 2 letter Locale code for I18N (default: us). If not passed in, the language will be extracted from HTTP header (Accept-Language) and if that is not available will default to "en-us". Check below for our current supported language list.
    • reqAuthFreshness (optional)
      • required Authentication freshness in secs ( time since the user was last authenticated). Default is 24 hrs (86400 secs)
    • c (optional)
      • the callback method to use when using jsonp convention (argument f = json)
    • r (optional)
      • an URL safe string to be used as requestId - when passed it is returned back in the response
    • a (required)
      • the Authentication token returned by login or getToken methods
    • ts (required)
      • current timestamp in seconds since epoch used to make sure the request cannot be replayed after a few mins
    • sig_sha256 (required)
      • Base64 encoded digital signature (HMAC-SHA256) of the request using the Session Key generated as below.
        • Session Key = base64_encode[HMAC-SHA256(key, data)] where key is the user's password and data is the session secret obtained from clientLogin response.
      • Please refer to Signing Requests for information about how to generate signature.
  • Response Format

The following data elements would be returned in the response 

        * userData
              o loginId -- User's Login Identifier
              o displayName -- User's Display Name
              o lastAuth -- Seconds since the user was last authenticated
        * redirectURL -- Redirect URL where the user should be redirected to.
  • The XML standard wrapper: 
       <response>
            <statusCode />

            <statusText />
            <statusDetailCode />
            <requestId />
            <data>
                 ....
            </data>
       </response>
  • The JSON standard wrapper 
   {"response":{
        "statusCode":""
        "statusText":"",
        "statusDetailCode":""

        "requestId":""
        "data":{
              ....
        } 
   }}
  • Query String

The following parameters will be returned back as in URL query parameters format 

         statusCode
         statusText
         statusDetailCode
         requestId
         userData_loginId
         userData_displayName
         userData_lastAuth
         redirectURL
  • Error Codes
    • 200 - Success (Ok)
    • 330 - More authentication required
    • 340 - More rights required
    • 400 - Invalid request
    • 401 - Unauthorized (authentication required)
    • 405 - Method not allowed
    • 408 - Request timeout
    • 430 - Source rate limit reached
    • 440 - Invalid Key
    • 441 - Key usage limit reached
    • 442 - Key invalid IP
    • 443 - Key used from unauthorized site
    • 444 - token used from unauthorized site (Referer doesn't match the value in token)
    • 450 - Rights denied
    • 451 - Permission denied
    • 460 - Missing required parameter
    • 462 - Parameter error
    • 500 - Generic Server Error
  • Sample Response
    • XML 
    <response xmlns="https://api.login.aol.com">

        <statusCode>200</statusCode>
        <statusText>OK</statusText>
        <data>
           <userData>
              <loginId>ChattingChuck</loginId>

              <displayName>Chuck</displayName>
              <lastAuth>1161932570000</lastAuth>
           </userData>
        </data>
    </response>
  • json 
    {"response":{
        "statusCode":200,
        "statusText":"OK",
        "data":{
            "userData":{
               "loginId":"ChattingChuck",
               "displayName":"Chuck",
               "lastAuth":1161932570000
             }
        } 
     }}
  • qs 
    statusCode=200&statusText=OK&userData_loginId=ChattingChuck&userData_lastAuth=1161932570000

logout

  • Description

Terminates the user's authentication session and invalidates the Authentication Tokens obtained via 'clientLogin' method.

  • URL
    • http(s)://api.screenname.aol.com/auth/logout
  • HTTP Method
    • GET or POST
  • Arguments
    • devId (required)
      • your developer Id required to access AOL APIs
    • f (required)
      • the required format of the response (json or xml or qs)
    • s (optional)
      • the loginID of the source user (if known)
    • language (optional)
      • the required language and locale of the error/status messages. This is always in "<lang>-<locale>" format. The lang is the 2 letter language code for I18N (default: en) and the locale is the 2 letter Locale code for I18N (default: us). If not passed in, the language will be extracted from HTTP header (Accept-Language) and if that is not available will default to "en-us". Check below for our current supported language list.
    • c (optional)
      • the callback method to use when using jsonp convention (argument f = json)
    • r (optional)
      • an URL safe string to be used as requestId - when passed it is returned back in the response
    • a (required)
      • the Authentication token returned by login or getToken methods
    • sig_sha256 (required)
      • Base64 encoded digital signature (HMAC-SHA256) of the request using the Session Key generated as below.
        • Session Key = base64_encode[HMAC-SHA256(key, data)] where key is the user's password and data is the session secret obtained from clientLogin response.
      • Please refer to Signing Requests for information about how to generate signature.
  • Response Format
  • The XML standard wrapper: 
       <response>
            <statusCode />
            <statusText />

            <statusDetailCode />
            <requestId />
            <data>
                 ....
            </data>
       </response>
  • The JSON standard wrapper 
   {"response":{
        "statusCode":""
        "statusText":"",
        "statusDetailCode":""

        "requestId":""
        "data":{
              ....
        } 
   }}
  • Query String 
 The following parameters would be returned in URL query string format


         statusCode
         statusText
         statusDetailCode
         requestId
  • Error Codes
    • 200 - Success (Ok)
    • 304 - Not modified
    • 400 - Invalid request
    • 405 - Method not allowed
    • 408 - Request timeout
    • 430 - Source rate limit reached
    • 440 - Invalid Key
    • 441 - Key usage limit reached
    • 442 - Key invalid IP
    • 443 - Key used from unauthorized site
    • 444 - token used from unauthorized site (Referer doesn't match the value in token)
    • 460 - Missing required parameter
    • 461 - Source required
    • 462 - Parameter error
    • 500 - Generic Server Error
  • Sample Response
    • XML 
     <response xmlns="https://api.login.aol.com">

        <statusCode>200</statusCode>
        <statusText>OK</statusText
     </response>
  • json 
    {"response":{
        "statusCode":200,
        "statusText":"OK"
    }}
  • qs 
    statusCode=200&statusText=OK

client2Web

  • Description

If the client wants to establish a Web authenticated session for the currently logged in user, it has to send a login request to AOL Web Authentication System with the following parameters. The request has to be signed as specified below in the appendix using the Session Key generated.

  • URL
    • http://my.screenname.aol.com/_cqr/login/login.psp
  • HTTP Method
    • GET or POST
  • Arguments
    • devId (required)
      • your developer Id required to access AOL APIs
    • entryType (required)
      • value as "client2Web"
    • ts (required)
      • current timestamp in seconds since epoch used to make sure the request cannot be replayed after a few mins
    • destUrl (optional)
      • the destination url to redirect to after establishing web authentication session
    • a (required)
      • the Authentication token returned by "clientLogin" method
    • sig_sha256 (required)
      • Base64 encoded digital signature (HMAC-SHA256) of the request using the Session Key generated as below.
        • Session Key = base64_encode[HMAC-SHA256(key, data)] where key is the user's password and data is the session secret obtained from clientLogin response.
      • Please refer to Signing Requests for information about how to generate signature.
  • Response Format

Upon successful validation of the request, user will be redirected to the destination Url. If no destination Url is provided, HTTP status codes will be returned as follows: 

   * 200 - Success
          - establishes web authentication session for the user.
   * 400 - Failure
         - due to invalid/expired token or invalid sig_sha256 value.

Appendix

Signing Requests

Even though the 'clientLogin' request itself doesn't need to be signed, all subsequent requests (both OpenAuth requests and any other protected resources like WebAIM) made using the authentication token obtained using 'clientLogin' request "must" be signed. Instead of defining yet another request signing method, we support the request signing method to generate the "Signature Base String" as defined in the 'OAuth' protocol. The OAuth Signature Base String is documented here. Here we document how to generate and use the same Signature Base String for signing requests using 'clientLogin' tokens.

Please note that we are using the OAuth Signature Base String only, and not adopting the OAuth parameter naming convention. The Session Key generated using the user's password and the session secret returned by 'clientLogin' method should be used as the Key while generating the HMAC-SHA256 of the Signature Base String.

The Signature Base String is a consistent reproducible concatenation of the request elements into a single string. The string is used as an input in hashing or signing algorithms. It consists of 3 parts of information - the HTTP Method used, the Request URI, and the request parameters itself.

All the request parameters MUST be encoded as described in Parameter Encoding prior to constructing the Signature Base String.

Step 1: Normalize Request Parameters

The request parameters are collected, sorted and concatenated into a normalized string:

  • Parameters in the OAuth HTTP Authorization header excluding the realm parameter.
  • Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded).
  • HTTP GET parameters added to the URLs in the query part (as defined by RFC3986 section 3).

The sig_sha256 parameter MUST be excluded.

The parameters are normalized into a single string as follows:

  1. Parameters are sorted by name, using lexicographical byte value ordering. If two or more parameters share the same name, they are sorted by their value. For example: 
    a=1, c=hi%20there, f=25, f=50, f=a, z=p, z=t
  1. Parameters are concatenated in their sorted order into a single string. For each parameter, the name is separated from the corresponding value by an ‘=’ character (ASCII code 61), even if the value is empty. Each name-value pair is separated by an ‘&’ character (ASCII code 38). For example: 
    a=1&c=hi%20there&f=25&f=50&f=a&z=p&z=t

Step 2: Construct Request URL

The Signature Base String includes the request absolute URL, tying the signature to a specific endpoint. The URL used in the Signature Base String MUST include the scheme, authority, and path, and MUST exclude the query and fragment as defined by RFC3986 section 3.

If the absolute request URL is not available to the Service Provider (it is always available to the Consumer), it can be constructed by combining the scheme being used, the HTTP Host header, and the relative HTTP request URL. If the Host header is not available, the Service Provider SHOULD use the host name communicated to the Consumer in the documentation or other means.

The Service Provider SHOULD document the form of URL used in the Signature Base String to avoid ambiguity due to URL normalization. Unless specified, URL scheme and authority MUST be lowercase and include the port number; http default port 80 and https default port 443 MUST be excluded.

For example, the request: 

                HTTP://Example.com:80/resource?id=123

Is included in the Signature Base String as: 

                http://example.com/resource

Step 3: Concatenate Request Elements

The following items MUST be concatenated in order into a single string. Each item is encoded and separated by an ‘&’ character (ASCII code 38), even if empty. 

   1. The HTTP request method used to send the request. Value MUST be uppercase, for example: HEAD, GET , POST, etc.
   2. The request URL from Step 2 above.
   3. The normalized request parameters string from Step 1 above.

Step 4: Generating Signature

sig_sha256 is set to the calculated digest octet string, first base64-encoded per RFC2045 section 6.8, then URL-encoded per Parameter Encoding.

Example:

This example uses the OpenAuth "getInfo" request to show how to generate the signature.

Sample getInfo request: https://api.screenname.aol.com/auth/getInfo?a=tokendata&clientName=test%20Client&clientVersion=1&f=xml&k=developerkey&ts=1200858745

To generate the signature for this request, it first needs to generate the Signature Base String. The request contains the following parameters which are ordered and concatenated into a normalized string:

  • a=tokendata
  • clientName=test%20Client
  • clientVersion=1
  • f=xml
  • k=developerkey
  • ts=1200858745

The following inputs are used to generate the Signature Base String:

  1. GET
  2. https://api.screenname.aol.com/auth/getInfo
  3. a=tokendata&clientName=test%20Client&clientVersion=1&f=xml&k=developerkey&ts=1200858745

The Signature Base String is: 

   GET&https%3A%2F%2Fapi.screenname.aol.com%2Fauth%2FgetInfo&a%3Dtokendata%26clientName%3Dtest%2520Client%26clientVersion%3D1%26f%3Dxml%26k%3Ddeveloperkey%26ts%3D1200858745
» Submitted by Developer Network on March 5, 2008 - 3:32am.