Maybe better trying this in here rather than the Suiteql channel, I'm using PHP and OAuth 1.0 to connect to the REST API. It's working fine for simple queries via suiteql etc, the problem is, as soon as I try to use limit and offset in the headers I get an invalid login attempt, assuming because my signature doesn't include the url parameters. I've tried as many different ways as I can see to try and match the signature to the headers but having no luck so far. Am I missing something?

you are constructing the 3.4.1. Signature Base String wrong go though the documentation and construct it correctly or do the easy thing and use HTTP_OAuth or maybe oauth

the base string documentation doesn't seem to explicitly suggest how to handle url params in the basestring, that could either be because they can't be used or its just not covered there. Can you clarify? to the best of my knowledge my basestring outside of the params should be correct.

$baseString = "POST&" . rawurlencode($url) . "&" .
    rawurlencode(
            "oauth_consumer_key=" . rawurlencode(CONSUMER_KEY) .
            "&oauth_nonce=" . rawurlencode($nonce) .
            "&oauth_signature_method=" . rawurlencode('HMAC-SHA256') .
            "&oauth_timestamp=" . rawurlencode($timestamp) .
            "&oauth_token=" . rawurlencode(TOKEN_ID) .
            "&oauth_version=1.0");

it explicitly calls out request parameters as part of the query, the formal name of the part of the url the request parameters are in

well, turns out I was constructing it correctly, the error was elsewhere