We are working on OAuth1.0 generating/verification with apigee. It seemed that the OAuth1.0 policy that generates the signature does not generate a timestamp nor a nonce (values we need in order to communicate with another service). We were able to bypass this easily, as we had a jscript ready, to generate the OAuth values we needed. We have moved on to trying to have apigee verify an incoming OAuth request. The apigee policy that verifies OAuth1.0 mentions that it enforces/validates only the consumer_key, access_token, and signature. We will need to also validate a timestamp and nonce. Therefore, we assume we will once again have to create a custom script, yet we will have to write it from scratch as we have none already available. Considering this will be time consuming, we wanted to know if we were understanding apigee's capabilities correctly. Does apigee maybe generate the nonce and timestamp hidden in the background (not exposed?), it says nothing of this in the documentation.

Thank you in advance