I’m seeing something odd here: POST requests to the
/statuses/update.json endpoint work perfectly fine, same goes for everything DM-related. However, POST to
/statuses/retweet/:id.json constantly return 401 “32: Could not authenticate you”.
From what I see in the documentation, both require the same user-context authentication which I have - for legacy reasons, the app is still on OAuth 1.0, so it only has user context anyway. Additionally, this same issue also existed using the 1.0 API with the same application in the past week, but not before.
Is there a new undocumented difference in requirements? The code firing the two is precisely the same, and header-wise everything looks sane to me.
This issue has actually a wider scope than I thought. I receive a 401 for every POST to an endpoint acting on a specific status, ie. everything written as
…/:id.json in the documentation. Examples are
status/destroy/:id. Things like
favorite/create transfer the ID in their request parameters and are perfectly fine.
So, to rephrase the question: why do requests transmitting their resource id require a different sort of authentication, and how does it differ…