Tutorials /

How to use HERE OAuth with Python

Last Updated: July 24, 2020


In a previous tutorial, we showed you how to generate a bearer token using JavaScript and NodeJS.

In this tutorial, you are going to learn how to acquire a HERE OAuth Bearer Token using Python.


  • A HERE Developer Account, if you don’t have one you can get one at developer.here.com.
  • OAuth Token Credentials. You can get the complete steps here.


We will complete the following steps in the tutorial: * Create an OAuth Signature * Request a token

Create an OAuth Signature

When requesting a token, you need to pass the OAuth signature in the Authorization Header of a request. This signature helps in authenticating a user or an application. The first part is to create a parameter string containing the following six key-value pairs. * grant_type - Value always remains same, “client_credentials” * oauth_consumer_key - The Access Key ID value we acquired from the credentials.properties file after generating HERE credentials * oauth_nonce - A unique string which never repeats * oauth_signature_method - Always use “HMAC-SHA256” * oauth_timestamp - The number of seconds since the Unix epoch, in simple words, the current time * oauth_version - Always use “1.0”

Open an IDE of your choice, create a Python file and add the following code to Python file. Replace your oauth_consumer_key with the Access Key ID found in the credentials file that you downloaded from developer.here.com.

import time #To generate the OAuth timestamp
import urllib.parse #To URLencode the parameter string
import hmac #To implement HMAC algorithm
import hashlib #To generate SHA256 digest
from base64 import b64encode #To encode binary data into Base64
import binascii #To convert data into ASCII
import requests #To make HTTP requests

grant_type = 'client_credentials'
oauth_consumer_key = 'HERE.ACCESS.KEY.ID' #From credentials.properties file
oauth_nonce = str(int(time.time()*1000))
oauth_signature_method = 'HMAC-SHA256'
oauth_timestamp = str(int(time.time()))
oauth_version = '1.0'

def create_parameter_string(grant_type, oauth_consumer_key,oauth_nonce,oauth_signature_method,oauth_timestamp,oauth_version):
    parameter_string = ''
    parameter_string = parameter_string + 'grant_type=' + grant_type
    parameter_string = parameter_string + '&oauth_consumer_key=' + oauth_consumer_key
    parameter_string = parameter_string + '&oauth_nonce=' + oauth_nonce
    parameter_string = parameter_string + '&oauth_signature_method=' + oauth_signature_method
    parameter_string = parameter_string + '&oauth_timestamp=' + oauth_timestamp
    parameter_string = parameter_string + '&oauth_version=' + oauth_version
    return parameter_string

parameter_string = create_parameter_string(grant_type, oauth_consumer_key,oauth_nonce,oauth_signature_method,oauth_timestamp,oauth_version)
encoded_parameter_string = urllib.parse.quote(parameter_string, safe='')

In the above code, we have imported several Python Standard Libraries for achieving our task and each library has a different role to play. All the parameters are combined in a single string alphabetically, with each key-value pair separated by an ampersand character(‘&’) and the output string is URL-encoded.

Next, add the HTTP method (POST), base URL (‘https://account.api.here.com/oauth2/token’) and encoded parameter string(we got from above) into a single string called Base String.

url = 'https://account.api.here.com/oauth2/token'
encoded_base_string = 'POST' + '&' + urllib.parse.quote(url, safe='')
encoded_base_string = encoded_base_string + '&' + encoded_parameter_string

Generating the OAuth signature requires data, which we created above (encoded_base_string) and a signing key. Both the values are passed into an HMAC-SHA256 Hashing Algorithm.

access_key_secret = 'HERE.ACCESS.KEY.SECRET'#From credentials.properties file
signing_key = access_key_secret + '&'

def create_signature(secret_key, signature_base_string):
    encoded_string = signature_base_string.encode()
    encoded_key = secret_key.encode()
    temp = hmac.new(encoded_key, encoded_string, hashlib.sha256).hexdigest()
    byte_array = b64encode(binascii.unhexlify(temp))
    return byte_array.decode()

oauth_signature = create_signature(signing_key, encoded_base_string)
encoded_oauth_signature = urllib.parse.quote(oauth_signature, safe='')

The output from the above method (create_signature) is first converted into a base64 string and then URL-encoded for further usage.

Request an Access Token

Once we have the signature, we can make a request for a Bearer Token. The Bearer Token is required for requests to most HERE APIs. There are several elements in the request.

Example OAuth HTTP Header:

 Content-Type: application/x-www-form-urlencoded
    Authorization: OAuth
    oauth_consumer_key="<The value of "here.access.key.id" from credentials.properties file>",
    oauth_nonce="<Random string, uniquely generated for each request>",
    oauth_timestamp="<Epoch seconds>",

Request Body:




The above response is expected when provided request body and authorization header.

body = {'grant_type' : '{}'.format(grant_type)}

headers = {
            'Content-Type' : 'application/x-www-form-urlencoded',
            'Authorization' : 'OAuth oauth_consumer_key="{0}",oauth_nonce="{1}",oauth_signature="{2}",oauth_signature_method="HMAC-SHA256",oauth_timestamp="{3}",oauth_version="1.0"'.format(oauth_consumer_key,oauth_nonce,encoded_oauth_signature,oauth_timestamp)
response = requests.post(url, data=body, headers=headers)


After executing the above code, we get Access Token as the output along with token type and token validity duration.



After going through this tutorial you should have a basic level of understanding in the following:

  • How to generate an access token using the HERE OAuth credentials.

Next Steps