Change in OAuth Authentication on 10Nov 2012?


At 2:43am on 10Nov 2012, my auto Tweeting system sent out it’s last tweet and now I can’t seem to get it to do anything.

I’m using Abraham’s twitteroauth.php system and nothing changed in the scripts that I am aware of. It appears that I am not getting authenticated, because even just a ‘Current API Hits Remaining’ call returns nothing. Any ideas?

$tcon = new TwitterOAuth($consumer_key, $consumer_secret, $access_token, $access_token_secret);
$content = $tcon->get(‘account/rate_limit_status’);
echo “Current API hits remaining: {$content->remaining_hits}.”;

Result: "Current API hits remaining: "


Update: I’ve done some more testing. When I do this:
$tcon = new TwitterOAuth($consumer_key, $consumer_secret, $access_token, $access_token_secret);

A var_dump returns a pile of data including all my keys and tokens.

Then I do this:
$content = $tcon->get(‘account/rate_limit_status’);

And it stalls terribly (sometimes killing my script completely), then a var dump:


Gives me NULL.

I’m stumped.


We seem to be facing the same issue too (same library, same end to all services via library).


@eBooksLister Are you using the 1.1 API too?


I would verify that your code is speaking to the right version of the API. It’s possible with the library you’re using to make requests to unversioned endpoints. It’s quite possible that when you’re asking to request “account/rate_limit_status” that’s translating to a request to instead of (which is the correct URL to use)


I didn’t make any changes on my end. I haven’t touched the php code or the included oauth files for a month or more. Then it just stopped working on 10Nov 2012. So I assumed Twitter made a change. But for all my reading I find nothing on any changes that should affect my scripts.

In the twitteroauth.php include file (from Abraham), I see this:
public $host = “”;

I assume I’m using version 1 and not 1.1, but I wouldn’t know how to verify either way.

Any other ideas on the sudden failure of all my API scripts?


Further, when I did the var_dump on the $tcon, the pile of data it returned includes this:

[“host”] => string(26) “

So I’d guess I’m connecting to the right endpoint?


I’ve chased ours a little more. For us it’s failing on the x_auth request but only from one of our servers. We have the same code (and configs) checked out to a local dev server and a remote production server. The local server fails (“Failed to validate oauth signature and token”), but the remote server succeeds. Is there a chance the dev server ended up on a blacklist?


Unlikely. Make sure that you’ve ruled out any other factors – such as the system clock… OAuth relies on your server clock being correct and in sync with our owns. Perhaps with the recent time change, one of your servers did not adjust it’s consideration of UTC correctly?


It appears you’re using the correct endpoint. I recommend verifying that your clocks are also set correctly.


I also notice that when I run my script, it stalls for exactly 30 seconds. Coincidentally, I see this in my var_dump:
[“timeout”]=> int(30) [“connecttimeout”]=> int(30)

So ti would appear that my script is timing out on this call:
$content = $tcon->get(‘account/rate_limit_status’, array(‘cursor’ => -1));

Anyone have any ideas?


I checked with my host (arvixe) and they say their servers are up-to-date and accurate.

Do any of the keys or tokens expire?


@episod Brilliant, that was exactly it-- the server’s time was wrong. Thanks!


Is there a reason you’re passing cursor=-1 to that method? It doesn’t accept any parameters really…

Are you able to connect to the API using a simple curl command from the same machine?

When faced with HTTP errors, does your client back off from making requests? Is it possible you’ve gotten your IP temporarily banned due to too many erroneous requests?

Consumer keys and secrets don’t tend to expire unless you reset them yourself. Likewise, access tokens are long lived unless you do something to revoke access or re-negotiate access with them.


I was passing the cursor just as testing. Trying to find an answer.

I’m still new to the Twitter API and got Abraham’s twitteroauth working the way I wanted it to. Other than that, I know little. I don’t know, yet, how to do the ‘simple curl command’. I’ll read up.

How would I know if the IP addy is banned? I checked my application and it’s not marked as ‘suspended’. And if the IP IS banned, how do I ‘unban’ it?

Thanks for the help.


Any additional help available? I’m still unable to access the API.


It suddenly started working this morning. I checked again with my host and the there was no change in the server time. No idea what changed.