"Failed to validate oauth signature and token" when acquiring a request_token


Good day, I am writing an iOS app that needs to authenticate with Twitter. When I POST a request to https://api.twitter.com/oauth/request_token I get a 401 error with the message “Failed to validate oauth signature and token”.

Here is an example of a base string I generated:


Can’t see anything wrong with it. I also checked my signature generation method using the example base string and consumer secret in the Twitter documentation here: https://dev.twitter.com/docs/auth/oauth
I get the same signature.

I also checked my timestamp but it is within a second of UTC epoch time. Here are the response headers I’m getting:
“Cache-Control” = “no-cache, no-store, must-revalidate, pre-check=0, post-check=0”;
Connection = close;
“Content-Encoding” = gzip;
“Content-Length” = 62;
“Content-Type” = “text/html; charset=utf-8”;
Date = “Wed, 07 Sep 2011 15:50:48 GMT”;
Expires = “Tue, 31 Mar 1981 05:00:00 GMT”;
“Last-Modified” = “Wed, 07 Sep 2011 15:50:48 GMT”;
Pragma = “no-cache”;
Server = hi;
“Set-Cookie” = “admobuu=30ed26ca874a682abe8f02dde910b6b4; domain=.m.twitter.com; path=/; expires=Tue, 19 Jan 2038 03:14:07 GMT, _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCDOclUQyAToHaWQiJTYyN2Q1YTlkOWRlYTky%250AYjNmMzhkY2NhMDIxZmZjYjc2IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–4fa77deaa5e2a9b3fd9817d3e2bd5562fa495c00; domain=.twitter.com; path=/; HttpOnly”;
Status = “401 Unauthorized”;
Vary = “Accept-Encoding”;
“X-Content-Type-Options” = nosniff;
“X-Frame-Options” = SAMEORIGIN;
“X-Mid” = 70704cf1e07711a4e1e26b9370f61004030eebff;
“X-Revision” = DEV;
“X-Runtime” = “0.00468”;
“X-Transaction” = “1315410648-37419-22715”;

What could I be doing wrong?


Your signature base string does look correct. It may be an issue with the request itself.

What is the exact URL you’re executing for the request_token step? Are you using HTTP header-based OAuth or query-string based OAuth? Make sure you’re not mixing auth types – if you’re using header-based auth, make sure that none of the oauth_* parameters are also included in the query string.


I am using


for the URL. I am using header-based authentication. The Authorization header looks like this:

OAuth oauth_nonce=“53b833b3808114c166d5b95eccf986ba4bb95b5d”,oauth_callback=“oob”,oauth_signature_method=“HMAC-SHA1”,oauth_timestamp=“1315414189”,oauth_consumer_key=“fy5lC1V4ojgaolKPnEsbg”,oauth_version=“1.0”,oauth_signature=“2OMyNDRK49sHNy/uknDwWOfjm9A=”



Figured it out. The signature in the Authorization header needs to be URL-encoded.


Similar issue.

POST https://api.twitter.com/oauth/request_token

Host: api.twitter.com
User-Agent: Fiddler
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Authorization: OAuth oauth_nonce=“1e91616e4070cd96c846682a03675db4”,

Repeatedly generates a 400 error.

Any thoughts?


I have addressed the 400 error but now encountering a 401. I am pulling the request header directly from the oauth tool available from Twitter. Posting directly to https://api.twitter.com/oauth/request_token using fidder. No luck. Any thoughts?

Authorization: OAuth oauth_consumer_key=“4CbmEH9Fav2X9mzQMBH6GA”, oauth_nonce=“e069cee28350c2dc8ac1bad1b48986ee”, oauth_signature=“bTHqukiBQ0XnLCoyxobZ72P4YqY%3D”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1335979035”, oauth_token=“562308004-sdWylisn26oYX0ypjxJ9fXfUf88p0f5fwY6gCJHw”, oauth_version="1.0"
Host: api.twitter.com


I’m not aware of what Fidder does or does not do, but it’s possible it’s invalidating your request in other ways. A web console like that isn’t the best way to test the API nor the token negotiation methods.

Also, in your request for a request token there, you’re including an oauth_token – oauth_tokens aren’t a valid parameter for the request token step.


The issue is encountered directly from the Fiddler client or in our own code.

The oauth_token was inserted in the header request using your oauth tool. If its not required why does your tool insert?


The OAuth tool’s purpose is mainly to address resource API requests – it has less practicality for the OAuth authorization scenario. It’s not aware of which paths mean what, it simply takes the variables you provide to it and builds what a technically valid request would look like given those parameters.

The reason an oauth_token is accepted for oauth/request_token is because it’s a method without a pre-existing context – there’s no access token (no user making the request) and there’s no request token (you’re asking for that).


What is m.twitter.com’s appNamesapce?


“A web console like that isn’t the best way to test the API nor the token negotiation methods.”…what is then?


How to integrate twitter using flex mobile application.


Dude fabulous ideas here


Hi, I have a “NETWORK_ERR: XMLHttpRequest Exception 101” on this request :


When I put it into the browser, I get a “Failed to validate oauth signature and token”.
But it was working before…
For what I can see, the query is well formatted, isn’t it ?
Any idea ?


You’re missing an oauth_version parameer there it looks like. You’ll find better results using HTTP headers instead of query string parameters.

You should also never use XMLHttpRequest for any steps of the OAuth process. It’s a server-to-server operation.


I have the same problem with him in the.net environment but I haven’t found how to change because I.net also is not very understanding, there’s no such examples, can you give me a reference, it will thank you very much


Check out these examples of using the .NET library LINQ to Twitter: http://linqtotwitter.codeplex.com/wikipage?title=Making%20API%20Calls&referringTitle=Home


I am having the same problem, using this PHP SDK: https://github.com/abraham/twitteroauth
this is my url:


Hi did you resolve this issue? I’m getting same problem


Same problem here. I have tried many things, from using abraham and codebird library, built similar library from zero, even used OAuth tool from Twitter application so I can test to execute cUrl generated from Twitter ITSELF. And the result is still same. I wonder what’s wrong with this API.