Application only authentication (error 99 Unable to verify your credentials)


I’m sending the request bellow[2], but I’m not sure why, the only Response I can get is this:

HTTP/1.1 403 Forbidden
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Content-Length: 105
Content-Type: application/json; charset=utf-8
Date: Mon, 07 Apr 2014 15:14:19 GMT
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Last-Modified: Mon, 07 Apr 2014 15:14:19 GMT
Pragma: no-cache
Server: tfe
Set-Cookie: guest_id=NNNNNNNN;; Path=/; Expires=Wed, 06-Apr-2016 15:14:19 UTC
Status: 403 Forbidden
Strict-Transport-Security: max-age=631138519
Vary: Accept-Encoding
X-Frame-Options: DENY
X-Mid: b6963789b7d0c95bb66b1d484962dfe0099bff7a
X-Runtime: 0.00733
X-Transaction: 1beacb11a785a405
X-Ua-Compatible: IE=edge,chrome=1
X-Xss-Protection: 1; mode=block

{"errors":[{"code":99,"message":"Unable to verify your credentials","label":"authenticity_token_error"}]}


POST /oauth2/token HTTP/1.1
Host: localhost
User-Agent: locness-01 v0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Cookie: PHPSESSID=in7kge13f6euknhcf3jo0t6f34
X-Insight: activate
Connection: keep-alive
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Authorization: Basic TkYzVyMHdz ... NUtzZmJlSQ==


I know you cover that error code (99), but it doesn’t see to apply on this application. I’ve created another app to test it, still the very same issue :frowning: Any idea?

Thanks in advance


I would make sure that you send a Host HTTP header that corresponds to the host you’re addressing the request to:, not localhost.

I would also recommend not sending Cookies with your request (somewhat of another form of auth that can conflict with what you’re trying to send in your Authorization header).

It looks like you’re sending a few HTTP headers that aren’t necessary for this request.


Thank you very much. That was weird.


Could you post a solved version of your request?
I’m stuck with the same error 99 message.
My app’s name is hrdlnktestapp01 and here’s my POST request
I’m using curl from a bash shell on OS X

POST /oauth2/token HTTP/1.1
User-Agent: hrdlnktestapp01
Accept: */*
Authorization: Basic NWU0eXN[ truncated ]JwNjVFRwo==
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 29


@hrdlnk One thing I noticed is that the body of your post request is empty. You still need grant_type=client_credentials


Hello everyone, how do I get Authorization bearer token?


If you want to obtain a bearer token for application-only authentication, check the documentation. I have a small example script on Github.


Thank you @andypiper. Followed the documentation and now I am getting 400 error.

My code :

params = {
‘grant_type’: ‘client_credentials’
headers = {
‘Content-Type’: ‘application/x-www-form-urlencoded;charset=UTF-8’,
‘Authorization’: 'Basic ‘Base64(API Key) Base64(API Secret)’

		     url: '',
		     type: 'POST',
		     data: params,
		     headers: headers,
		     success: function( data ){
		       console.log( data )


This is not intended for use from client-side Javascript, as Twitter does not support cross-origin resource sharing (CORS) at this time. You’ll need to write server-side code in order to access the API directly.


Huh :frowning: … thanks for the reply.