Gravity Forms API 2 JavaScript authentication problems

I am new to Gravity Forms and WordPress. I am using Gravity Forms (version 2.4.12) in my WordPress site (WP version 5.2.3). I feel comfortable with JavaScript, so I am trying to use JS to read in my GF form entries and display them in an HTML table that I will make searchable. I am trying to follow Gravity Forms documentation on using Basic Auth and OAuth 1.0a. I am unable to get Basic Auth to work but I am able to get OAuth 1.0a to work in Postman.

I have not been successful using Postman and following the Basic Authentication example here. With Basic Authentication, I provide my consumer key (username) and consumer secret (password) and I get the following error. I am not sure why this Basic Auth example is not working.

Request made to:


"code": "rest_forbidden",
"message": "Sorry, you are not allowed to do that.",
"data": {
    "status": 401

I am able to use Postman and follow the OAuth 1.0a Authentication example as shown here. This is working fine with Postman. At this point, I cannot get Basic Auth to work, but I can get OAuth 1.0a to work in Postman only.

Since I can get Postman working with OAuth 1.0a, I figure why not generate the JavaScript Postman is using to get this working in my WordPress site. What I am seeing is that Postman is generating some of the fields I need to figure out how to recreate within my JavaScript. I am not sure what all I need. I can see Postman using my consumer key, but it does not appear to be using my consumer secret for OAuth 1.0a in its generated JS output.

// These three params I know.
oauth_consumer_key = ck_1234....321a
oauth_signature_method = HMAC-SHA1
oauth_version = 1.0

// I need help creating these params as Postman generates these for each request.
oauth_timestamp = this I can create               
oauth_nonce = I am not sure how to create this
oauth_signature = I am not sure how to create this

I am looking for help on how to create the last three params, assuming that is all I need to request a response from my GF endpoint. This is my endpoint.

To create the timestamp, I have this.

var d = new Date;
var expiration = 3600; // 1 hour,
var unixtime = parseInt(d.getTime() / 1000);
var future_unixtime = unixtime + expiration;

// future_unixtime is my timestamp, example = 1569094276

To create the oauth_nonce, I am doing this. I am thinking this is an 11 character string based on what Postman is creating each time I make a request and get back results successfully. It is always an 11 character string.

function createRandomString(length) {
    var text = "";
    var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
    for(var i = 0; i < length; i++) {
        text += possible.charAt(Math.floor(Math.random() * possible.length));
    return text;

// generate the nonce
var nonce = createRandomString(11);

Lastly, I have no idea how to create the oauth_signature. In Postman, following the GF example for OAuth 1.0a, I can see that the consumer key and consumer secret are populated, but access token and token secret are not. Do I just leave those as empty strings?

I am using WordPress and I am new to WP. I can reference JS libraries via script tags in my HTML head, but I am not sure what other libraries I can use. It would be awesome to just do something like this.

var signature = CryptoJS.HmacSHA1(some_string, oauth_consumer_key  + '&' + oauth_consumer_secret);

I am not sure what to do for this signature.

  1. Why won’t Basic Auth work for me?
  2. What do I need to recreate in JavaScript in order to get OAuth 1.0a to work?

Thanks for the help!

I am having the exact same problem! Did you solve?

I have the same issues. Would like to hear from the GF team on this.

I recommend opening a support ticket if you’re having issues with the GFAPI v2 authentication. Thank you.

Any solution? I am having the same problem. Can’t authenticate with basic auth in v1, can’t authenticate in v2 either with basic. Haven’t tried oauth in v2.
Any advice ?

Found the solution. See this page

I also had to move the Wordpress block to the top of my htaccess, and leave this plugin activated.

Thank you for sharing that Adnaan.