App-only Authentication broken


I’m attempting to get a bearer token with this curl. The end goal is to get it to work in node, but I get the same error either way.
Generated key with:
var KEY = new Buffer(’___’).toString(‘UTF-8’) + ‘:’ + new Buffer(’_________’).toString(‘UTF-8’);
var base64key = new Buffer(KEY).toString(‘base64’);

curl --request ‘POST’ ‘’ --header 'Authorization: “Basic XXXXXX”, Content-Type: “application/x-www-form-urlencoded;charset=UTF-8” ’ --verbose

I always get this response:
{“errors”:[{“code”:99,“label”:“authenticity_token_error”,“message”:“Unable to verify your credentials”}]}


Two things I would check:

  • Make sure you’re sending grant_type as a POST parameter, not as part of the query string of a POST request.
  • Verify that the base 64 method you’re using is outputting the same Basic auth header that you would receive had you used curl’s “-u consumerKey:consumerSecret” parameter instead of setting the header explicitly.
  • Also, your “–header” parameter looks like it might result in an invalid header string – I don’t think curl will split the header on commas for you
  • That content-type will be the default if you use the “–data” parameter to communicate your grant_type permission instead.


Thanks for the help. This also helped me figure out what was wrong in my node code.