App-Only Token Error 99



I know this problem has been around a lot. I’ve looked at every possible solution but cannot find it.

I’m running into this error when trying to retrieve a bearer token for app-only authentication:
{“errors”:[{“code”:99,“label”:“authenticity_token_error”,“message”:“Unable to verify your credentials”}]}

Everything I’ve done seems right, but I’m not sure if I’m just overlooking something… I’ve regenerated my API keys many times as well:

$consumerKey = [CONSUMER KEY];
$consumerSecret = [CONSUMER SECRET];

// Encode Key & Secret
$enConsumerKey = urlencode( $consumerKey );
$enConsumerSecret = urlencode( $consumerSecret );

// Concatenate both with a semi-colon and base64 encrypt the new token 
$bearerToken = $enConsumerKey.':'.$enConsumerSecret;
$base64Token = base64_encode ($bearerToken);

// Output details retrieved from the function below
$accessToken = get_access_token('');
echo $accessToken;

// Create function to retrieve new token
function get_access_token($url) {

	$headers = array(
		"POST /oauth2/token HTTP/1.1",
		"User-Agent: Dropkick Website App v0.1",
		"Authorization: Basic " . $base64Token,
		"Content-Type: application/x-www-form-urlencoded;charset=UTF-8",
		"Content-Length: 29"

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
	$header = curl_setopt($ch, CURLOPT_HEADER, 0);
	curl_setopt($ch, CURLOPT_POST, 1);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
	curl_setopt($ch, CURLOPT_POSTFIELDS, "grant_type=client_credentials");
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

	$content = curl_exec( $ch );

	curl_close( $ch );

	return $content;

I know I’m probably overlooking something so simple.


This looks pretty close to correct… one thing that looks suspicious is this bit in your HTTP headers: POST /oauth2/token HTTP/1.1", – that’s not actually a HTTP header and should be part of HTTP already being handled by curl.


Ah yes, I was troubleshooting a lot, so I added that in there to check. Even without that I have no success. My only idea is that there is something wrong with my API creds or my server doesn’t support something it’s meant to.

Do you have any idea what could not be active server side?


I figured out what the issue was. It wasn’t happy as a function. So I took it out and left it on it’s own. Seemed to work then.


I wonder what made it happy :slight_smile:
I’m still stuck with a 403 :frowning:

Working from the bash shell in os X:

curl -v --user-agent 'hrdlnktestapp01' --header "Authorization: Basic $encodedkeys" --header 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8' --data 'grant_type=client_credentials' ''