Building new library but oob request token fails with 401



I’m trying to develop a (Twitter) OAuth v1.0a library for use with the FreePascal programming language.

First I’m trying to implement OOB authentication.
I authorized the application with an empty callback URL and got consumer key and secret (no access token/secret).
While trying to get a request token, I get a 401 result.
Data below (I’ve since changed the consumer key and secret).

I put the OAuth header in the authorization header, nothing in the body or querystring.

The response with the 401 differs 1 second with the request time, so I think the time should be well synchronized. Translating the request timestamp back to UTC seems to give the correct value.

The signature base string validated OK via


  1. Can anybody see something wrong with the below?
  2. RFC 5849 says “The client MAY omit the empty “oauth_token” protocol parameter from the request”. I’ve left it in; is this OK?
  3. Anything else I can check?

Current UTC time: 13:52:12 (at time of sending message)
Request timestamp: 1339336332
Converted back: 10-6-2012 13:52:12

Parameter string:

Signature base string:


Authorization Header:
OAuth oauth_callback=“oob”, oauth_consumer_key=“KwT8AYDznYoqsRmShCPSA”, oauth_nonce=“vY8ayYlLHkw5dsmqFClJiWREIqk1yTBPXD243DOgU”, oauth_signature=“I6zQvdfg6iKeE1qLJ8RXs1ijFnU%3D”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1339336332”, oauth_token="", oauth_version=“1.0”

POSTing to URL:

HTTP/1.1 401 Unauthorized
Date: Sun, 10 Jun 2012 13:52:13 GMT
Failed to validate oauth signature and token


Sorry, turned out to be a nonce that I inadvertently changed during signature generation.

Code now works and can be found on

Next up: cleanup, authentication with existing oauth_token & secret…


Glad you got it figured out, @rismyname7! Thanks for sharing your Pascal code, I’ve tagged this post to make it easy for folks to find.