401 Error



I am trying to fully understand oAuth in Twitter implementation and am beating myself up a bit. I have read the documentation and am fairly confident that I understand the basic premise:

Step 1: Send a POST to: https://api.twitter.com/oauth/request_token
Step 2: Catch the token it returns
Step 3: Redirect user to twitter to sign in
Step 4: Catch result

I am stuck on step 1, with a 401 error being repeatedly returned.

I have created an application successfully. I gave the application read/write, DM permissions.
I have the 4 keys.

I have sync’d the clock on my computer to a public government ntp source.
I placed the header variables in alphabetic order.
I have regenerated both sets of keys.

When things didn’t work, I went to the most simple concept I could think of, using the oAuth Tool on the App website to generate a signature and pasted the variables into my code and executed (about a million times with different variants), yet I am still getting 401 errors returned. I get a new signature with the tool each time.

I have tried it with and without a callbackurl.
I have tried it with a callbackurl to a dev box using, with a production ssl url, and with the url set to “oob”, the result is the same - a 401 error.

If someone with more experience could shed some light and point me in a direction, I would be extremely grateful.

I am sending a POST to this URL: https://api.twitter.com/oauth/request_token
I am inserting the following text content into the header: Authorization: OAuth oauth_callback="{a valid url here}", oauth_consumer_key=“nKOrq7WMWxOfxE50xe2EVWv0d”, oauth_nonce=“4bfa5ea5445eebed6f40e8f3b6b9a47e”, oauth_signature=“QqXR9ZTQYqJDbpxVyiIkntF3Zdg%3D”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1434147820”, oauth_version=“1.0”

Thank you in advance for your assistance.


It is recommended that you use a special library that will handle OAuth for you, as it is quite tricky.
Additionally note that you don’t need the 4 keys, you need only the App Keys.
The other two tokens are only generated as a convenience, and allow you to make request of your behalf. (i.e. to try the API out, check which method returns which results…)

Note that just generating the OAuth headers once will not work, as it is generated for each request with the correct timestamp and right SHA1 (this includes parameters, depending on request type) so it is impossible to reuse OAuth headers.


Understand that generating once is not good enough. I’m trying to generate them the first time to prove that I have the code right. I started by using “working” code I found online, that obviously no longer does. It didn’t have the callback_url. I have added that and then try to go simpler and simpler when it didn’t work, until the point I was using the signature made using the app page. I’m not convinced it is good for the first step as it has a token embedded. I’m at the step before the token.

I’m a bigger fan of writing my own code so that when twitter changes something I am in full control of my code and can change with it quickly.

From what I posted, am I posting the right variables? Is it obvious to you what I am doing wrong?

Thank you for your response.