401 unauthorized when requesting token and callback URL is passed


Hi there,

I’m using Twitter’s OAuth protocol for the first time with VB.net, and I followed the instructions here to create my request:


In the docs, it indicates that a callback URL is required:

For OAuth 1.0a compliance this parameter is required. The value you specify here will be used as the URL a user is redirected to should they approve your application's access to their account. Set this to oob for out-of-band pin mode. This is also how you specify custom callbacks for use in desktop/mobile applications.

Always send an oauth_callback on this step, regardless of a pre-registered callback.

However, I kept running into a 401 unauthorized error until I removed the callback URL. I put it back in and received the 401 unauthorized error again.

Removing it actually makes some sense, since there’s already one specified in the app when I had to sign up. However, I can also see the need to override it. So I’m not sure as a result if this is a bug or a case where the documentation needs to be updated or it’s something completely different.

Anyone else run into this?


Have you taken a look at the message included with the 401 unauthorized? If you’re getting a 401 with the presence of the parameter and a 200 without, to me it suggests that it might have to do with the way you’re encoding or including the oauth_callback parameter. Perhaps it’s being over-escaped or under-escaped, or mis-matched escaped. I also recommend ensuring you’re passing OAuth via headers rather than query-string for best results.


I have also got this 401 error when I added the oauth_callback to the authorization header. the callback URL is correctly encoded. When I remove the oauth_callback url it working perfectly.

For your reference following is my authorization header;
OAuth oauth_nonce=“f4809773431b4974830561c523d5ad2e”,oauth_callback=“http%3A%2F%2Flocalhost%2FTestTwitterIntegrationApplication”,oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“1444802868”,oauth_consumer_key=“XXXXXXXYYYYYYYZZZZZ”,oauth_signature=“bAdGqfCjoBekpqv1%2FdZVQsIxSi4%3D”,oauth_version=“1.0”

And I have added oauth_callback to the signature base string also.

I have generated the authorization header using Twitter’s OAuth Tool, in that it does not mention any oauth_callback URL parameter(I have given a callback URL in the application settings hoping it will appear, but it doesn’t).

Can anyone help me to resolve this please ?.