API requests all return HTTP401 for both types of authentication



I have created an app at https://apps.twitter.com/
I have enabled Read and Write permissions and retrieved my consumer key and secret.

I have tried two forms of authentication: both the Application-Only Authentication where I have successfully converted my consumer key/secret to an access token and 3-Legged OAuth where I have generated an access token and secret for my user account (which matched that listed on the app page).

When I try to make a request, either via Postman or my Node application with either of the above authentication methods, I always get an HTTP401 as a response. I am trying to hit something like:

Example Authorization value for 3-Legged:
OAuth oauth_consumer_key="<APP CONSUMER KEY>",oauth_token="<USER ACCESS TOKEN>",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1495032623",oauth_nonce="DTyFC7",oauth_version="1.0",oauth_signature="<GENERATED SIGNATURE>"

Example Authorization value for Application-only:

Is there something I’m missing to get this to work?


Strange - I’m able to make requests using Postman without issues. Are you getting an error code back from the API? You should see a JSON message with details of the error to accompany the HTTP 401.

One thing to check would be that your clock is in sync.


Thanks for coming back to me Andy. I’ve solved it now, and this is what I needed to do…

I was getting a Not Authorized response which according to the docs is “Missing or incorrect authentication credentials”, so I closely checked everything I’d used.

Looking at my user’s access token and secret on the Keys and Access Tokens page of https://apps.twitter.com/app/[APP-ID]/keys I saw that the application’s Access Level was set to “Read and write” but my Access token Access level was only set to “Read”.

By clicking “Regenerate My Access Token and Token Secret” and using the new token and secret I was able to successfully retrieve the user timeline.

I am making an assumption that this is because the application’s Access level was originally set to Read, the user access token was generated, then the application’s required Access level was increased to Read and write. Does that sound like something that might cause this?


Great to hear you figured it out - yes, you need to regenerate the access token / login with Twitter again to the app after the permissions are changed.