400 Bad Request response to POST /oauth2/token for application-only authentication



I’m using cURL against the Twitter API to learn a bit more about the OAuth2 workflow. I’ve registered a Twitter app, concatenated its consumer key and secret with a colon, and Base64-encoded it. When I make the following request (Base64 encoded bearer token replaced with stub), I get a 400 Bad Request.

curl -i -v -X POST -d 'grant_type=client_credentials' -H 'Authorization: Basic 123abc' -H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' 'https://api.twitter.com/1.1/oauth2/token'

SSL appears to be working fine. I’ve attempted without --cacert and seems to work. I’ve also attempted with --cacert pointing to a cert from the Homebrew curl-ca-bundle.

Any suggestions on how to debug this? Or, see anything obvious?




I just ran into the same problem.
The request needs to be sent to “https://api.twitter.com/oauth2/token” and not “https://api.twitter.com/1.1/oauth2/token”.


I love you so much, stranger