401 error when using oAuth tool?


Hi All

I’m brand new to oAuth

I’ve setup a test application, set it to Read, Write and Access direct messages

Use the oAuth tool to generate this

curl --get ‘https://api.twitter.com/oauth/request_token’ --header ‘Authorization: OAuth oauth_consumer_key=“Z0p8k1pspBWrqNlV2VtVFQ”, oauth_nonce=“82c90b7b5202a42442b4714f1f0296a2”, oauth_signature="%2FIVN%2FG7jlcJj6MVwU9UGyC8Tl3g%3D", oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1348759273”, oauth_token=“757341968-Y3XSMCeM9PWJ1GW8hqDMGItbMeNSVShZAb2rHRng”, oauth_version=“1.0”’ --verbose

edit it slightly to this (remove quotes and add -k option to get over certificate problem)

curl -k --get https://api.twitter.com/oauth/request_token --header “Authorization: OAuth oauth_consumer_key=Z0p8k1pspBWrqNlV2VtVFQ, oauth_nonce=82c90b7b5202a42442b4714f1f0296a2, oauth_signature=%2FIVN%2FG7jlcJj6MVwU9UGyC8Tl3g%3D, oauth_signature_method=HMAC-SHA1, oauth_timestamp=1348759273, oauth_token=757341968-Y3XSMCeM9PWJ1GW8hqDMGItbMeNSVShZAb2rHRng, oauth_version=1.0” --verbose

and run it through curl-7.27.0-rtmp-ssh2-ssl-sspi-zlib-winidn-static-bin-w64 for Windows

and this is the result

I can’t seem to get past this 401 error ? what am I doing wrong since i’m not generating any of this it’s all from the oAuth Tool


  • About to connect() to api.twitter.com port 443 (#0)
  • Trying…
  • connected
  • Connected to api.twitter.com ( port 443 (#0)
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using RC4-SHA
  • Server certificate:
  •    subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twit

ter Security; CN=api.twitter.com

  •    start date: 2012-05
  •    expire date: 2013-05
  •    subjectAltName: api.twitter.com matched
  •    issuer: C=US; O
  •    SSL certificate verify result: unable to get local issuer certificate (

20), continuing anyway.

GET /oauth/request_token HTTP/1.1
User-Agent: curl/7.27.0
Host: api.twitter.com
Accept: /
Authorization: OAuth oauth_consumer_key=Z0p8k1pspBWrqNlV2VtVFQ, oauth_nonce=25
d7d23fdd3a448acf23ab37033cd47d, oauth_signature=fQ5PnEdQhY2kWdxmoLtDIw5upZQ%3D,
oauth_signature_method=HMAC-SHA1, oauth_timestamp=1348759029, oauth_token=757341
968-Y3XSMCeM9PWJ1GW8hqDMGItbMeNSVShZAb2rHRng, oauth_version=1.0

< HTTP/1.1 401 Unauthorized
< Date: Thu, 27 Sep 2012 15:18:04 GMT
< Status: 401 Unauthorized
< X-Frame-Options: SAMEORIGIN
< X-Transaction: be915b5e91838bae
< Content-Type: text/html; charset=utf-8
< X-Runtime: 0.02352
< X-MID: 8234875033ef1aae66416576db3b1278939b497f
< Expires: Tue, 31 Mar 1981 05:00:00 GMT
< Last-Modified: Thu, 27 Sep 2012 15:18:04 GMT
< Pragma: no-cache
< Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
< Content-Length: 44
< Set-Cookie: k=; path=/; expires=Thu, 04-Oct-12 15
:18:04 GMT; domain=.twitter.com
< Set-Cookie: guest_id=v1%3A134875908452586323; domain=.twitter.com; path=/; exp
ires=Sun, 28-Sep-2014 03:18:04 GMT
< Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCO5dTgg6ASIKZmxhc2hJQzonQWN0
; domain=.twitter.com; path=/; HttpOnly
< Vary: Accept-Encoding
< Server: tfe
Failed to validate oauth signature and token* Connection #0 to host api.twitter.
com left intact

  • Closing connection #0
  • SSLv3, TLS alert, Client hello (1):


You can’t use the OAuth tool to emulate requests to oauth/request_token unfortunately, because it’s a tool for making REST API requests rather than authentication negotiation requests. It’s failing because it adds a oauth_token value to the mix, which represents your identity to a method that is not expecting any kind of user identity.

You should make sure to get your certificate situation figured out on your machine. It’s not recommended to evade SSL when you can’t get it to work