Can make calls to verify_credentials with key/token, but keep getting 401 when requesting a token


I’ve read through the OAuth docs from Twitter (which seem great), requested API keys, and a token for my Twitter account.

I’ve been able to call into and pull back my info without any issues.

Happy with some code that signs, sorts etc. I’ve moved onto requesting a token for user authorization.

This is a snippet of what’s working (pulling my info):

This is what I’m signing with my (consumerSecret&accessTokenSecret)


This is my Authorization header:

OAuth oauth_token="##TOKEN##",

This is a snippet of my token request, which isn’t working

What I’m signing (with just my consumerSecret)


Authorization header

OAuth oauth_nonce=“3963029ea8ce44ea841478163d3d936e”,

The only differences with either request is that

  • the working one gets signed with consumerSecret&accessTokenSecret and the other is signed with just consumerSecret
  • the non-working one has oauth_callback added to the authorization header, with an encoded URL (which gets re-encoded during the signing process)
  • the working one has my accessToken added to the authorization header, and the other doesn’t

My clock is good, and I do get good requests from the first one, so that shouldn’t be an issue. I’ve removed the callback from the second (I know it’s required, but just to see if I get some other error, as that’s the only new thing added). Is there something blatantly obvious that I’m missing?

Thanks =)


One guess for you: when you’re signing the oauth/request_token request, it’s not that you sign it “only” with your consumer secret, you sign it with a consumer secret and a null token secret. So, more like: “consumerSecret&” instead of just “consumerSecret”


Thanks @episod,

I did notice that someone had done that from a snippet on some SO post, or somewhere else, and had tried it once to no avail. I quickly gave up on that, as I didn’t see it, or it didn’t stand out, within the Twitter documentation.

I did just try it again, and it worked!
I must’ve had something else wrong somewhere, that I fixed between when I tried the null token secret and now. Goes to show that I shouldn’t rule something out as not working permanently in my brain =)



Okay, one other thing I’m noticing is that I get successful calls when my signature has no dashes/underscores within it, when it does I always get a 401.

I don’t see anything mentioning that in

So these signatures fails:

Any signature without _- work.



Doh! Sorry, I’ve got a reply awaiting moderation and I’ve just figured it out.
I was base64 URL encoding my signature (using Golang) which places the dashes/underscores in my signature.
I switched it to a base64 standard encoding, and all is well =)

Thanks again,


Glad you got it figured out, Justin!