(215) Bad Authentication data


My application is getting error code 215 bad authentication error when trying to make requests to the server.

This is has been long running code that’s not changed in months along with any access tokens. Along with this posting images still works with the same access tokens. This is not working across all of our customers now not just one.

It started sporadically a couple of days ago and now is constantly throwing the error (other then posting a image)?

Would love some help?

/1.1/statuses/update.json currently returning 401s
Has OAuth changed today 9/25?

We are getting the same thing! We tracked it down to Twitter isn’t accepting the POSTFIELDS in the Header of the oauth request anymore. Rather, they are expecting that data to passed across as url parms. This just started happening today!


I was just going to post the same thing (in the OAuth forum). Our logs show that a couple of days ago we started getting the odd user getting 215 Bad Authentication Data errors when trying to post a status but most went through fine. Today it seems to be affecting more although still not all users. My Twitter account included in this and I’ve re-linked (debugging showed that I got the same key/secret as before) but if I try to post a status to the account I get the 215 error.

Our code hasn’t altered at all and it doesn’t seem to be affecting all users, so I’m not sure about the POSTFIELDS explanation as everybody’s posts go through the same routines in our code (unless it depends on which server processes the request at Twitter’s end, if they’re not all running the same code changes?)


Same problem, just stopped working, the code has not been modified


Same thing here, has been working for months and now returning Bad Authentication Data for most (not all) requests.


Same here. Also affecting instagram I think.


Is there away around this or are we stuck at the moment?


Expieriencing the same problem here. All accounts our product manages seem to be affected. Does anybody know a work around? We are using php.


Yeah. Just take the data you are putting in POSTFIELDS, and put it at the end of the url.



The bolded would normally go into the postfields, the workaround atm is to put it in the url as above.


Any specific change on twitteroauth.php that could fix the problem for people using the php module?


actually I just checked I don’t update twitteroauth for a while. Will try the latest version and see if works


We use our own Curl library, but at a quick glance here, it looks like twitteroauth uses the same oauth library. So, changing the following line (no guarantees this won’t break other POST requests going through here may want to add a couple other checks, strpos on statuses/update or something) to use the oauth function to_url() instead of get_normalized_http_url, will likely be a nice workaround for the time being.

183: default:
return $this->http($request->get_normalized_http_url(), $method, $request->to_postdata());

to this

183: default:
return $this->http($request->to_url(), $method, $request->to_postdata());

also like to add, that this is hacky, and only is going to be a workaround…


In twitteroauth.php you can update the http function with this around line 232

switch ($method) {
  case 'POST':
    curl_setopt($ci, CURLOPT_POST, TRUE);
    if ($authorization_header)
      $headers[] = $authorization_header;
    if (!empty($postfields)) {
      curl_setopt($ci, CURLOPT_POSTFIELDS, $postfields);
    if(!$authorization_header) $url = $url.'?'.$postfields;
  case 'DELETE':
    curl_setopt($ci, CURLOPT_CUSTOMREQUEST, 'DELETE');
    if (!empty($postfields)) {
      $url = "{$url}?{$postfields}";

It works but it’s a horrible fix.


This change worked. Thanks!
But, what is happening now is a feature or a bug??


I’m getting a 215 Bad Authentication Data from two hours ago. I can’t use statuses.update but have no problem with another API, like statuses.home_timeline. Does anybody knows what’s happening? I’m using the twitter package for python.


statuses.home_timeline is a GET request. The GET requests includes the oauth information in the url_parameters.

statuses.update is a POST request. The POST requests in most libraries will include the oauth information in the POSTFIELDS. The problem is that Twitter is not accepting/grabbing the information in the POSTFIELDS.

This means that GET requests will work fine, since everything is sent in the url. That’s why the workarounds above work is because we include what we normally put in POSTFIELDS in the url_parameters.


Is it a change or an issue?


this is the big question?


In my opinion, big issue! Doubt it’s intentional - is there another venue we can report defects to?


The question for me is if it’s a problem Twitter will fix soon or later or do I have to rewrite all code based in statuses/update.