Failed to validate oauth signature and token


Hi all,

I’m trying to use OAuth to sign in users on a web site. I followed the information available on and validated my code with unit tests against values found in the documentation. But when using my application’s secret strings it fails with “Failed to validate oauth signature and token”. I don’t use any library as I try to understand how it works.

I’m not sure about how to generation the nonce. At the moment I get a timestamp representing the total seconds elapsed since January, the 1st of 1970. I’ve checked that the system clock is correctly set. I seed a pseudo random generator and feed a 32 bytes array of random data and convert it to base64 as the nonce.

Here’s my authorization header:

OAuth oauth_nonce="QojA+w4lwJCz6cayAEmKxODw53z29jSghv07F3pmJlU=", oauth_callback="http%3A%2F%2Flocalhost%3A1277%2FHome%2FTwitterCallback", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1319658858", oauth_consumer_key="eY3fgMXqkX5Snwb54Llg", oauth_signature="Ohw7CJdWkNaOf7cywzG8A43GRgc%3D", oauth_version="1.0"

Do you see anything wrong?

Thank’s a lot in advance!


I don’t see anything obvious. Can you post more info? For example, the signature base string you’re generating, and a full HTTP dump would be useful (or just the URL and post body if you can’t get the raw request).


We’re having the same problem, everything was working fine for a couple of months until we started getting 301 response using http calls so we changed them to https, but now all we get is “Failed to validate oauth signature and token”, I’ve tried making a number of changes to the header, but nothing helps. This is the php code:

$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, $_h);
curl_setopt($ch, CURLOPT_URL, ‘’);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$resp = curl_exec($ch);

the dump of $_h is below, this worked fine before, and like I’ve said I’ve tried a number of different variations of this now, removing realm, removing the Expect: value, removing Authorization:, etc…

Array ( [0] => Expect: [1] => Authorization: OAuth realm="/oauth/request_token",oauth_consumer_key=“RXutBKZVrIjeDkzxxzRAHQ”,oauth_token=“11058162-Oae0l0mCoAS40ZkNZ0PFRy6mSj8jjO7byUGwL6AWg”,oauth_nonce=“1e61683d23c2b9cdcdf7ed364ee0cf2e”,oauth_timestamp=“1361460752”,oauth_signature_method=“HMAC-SHA1”,oauth_version=“1.0”,oauth_callback=“”,oauth_verfier="",oauth_signature=“9N7GdvhAT6ISDMfcLhhTmoHfeYY%3D” )


Make sure you’re using the most up-to-date paths – you should be using HTTPS and the subdomain for all oauth requests:


I fixed all the urls but still no luck, here’s the header we get in the response

HTTP/1.1 401 Unauthorized Date: Thu, 21 Feb 2013 15:57:50 GMT Status: 401 Unauthorized Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Content-Length: 44 Pragma: no-cache X-Transaction: d12d96d2a0afd148 Content-Type: text/html; charset=utf-8 X-Runtime: 0.02077 Last-Modified: Thu, 21 Feb 2013 15:57:50 GMT X-Frame-Options: SAMEORIGIN X-MID: 8e77e264b22cccf0b99e7f540f097eeab42c93b9 Expires: Tue, 31 Mar 1981 05:00:00 GMT Set-Cookie: k=; path=/; expires=Thu, 28-Feb-13 15:57:50 GMT; Set-Cookie: guest_id=v1%3A13614622707606104;; path=/; expires=Sun, 22-Feb-2015 03:57:50 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCCqbef08AToHaWQiJTY0ZThkYzI5MWI3N2I2%250AYzQ1MzU5N2ViMGQ3MTM3MGI2IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA–a053f994ebdd3376bb580831c2d9372831088559;; path=/; HttpOnly Vary: Accept-Encoding Server: tfe Failed to validate oauth signature and token


if my oauth_signature has “+” symbol i get “failed to validate signature and toke” as response when i tried to request for request tokens.

I get “request tokens in the response” for the below oauth_signature.

I am seeing this issue for past two days only.

I am using java script library to generate the oath_signature. sha1.js


  • A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
  • in FIPS PUB 180-1
  • Version 2.1a Copyright Paul Johnston 2000 - 2002.
  • Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
  • Distributed under the BSD License
  • See for details.

action: ""
method: "GET"
parameters: Object
oauth_callback: ""
oauth_consumer_key: "DPunrpPrUKshHXGj2VXv4w"
oauth_nonce: "ERACXH"
oauth_signature_method: "HMAC-SHA1"
oauth_timestamp: 1361470256
oauth_version: “1.0”


  • Calculate the HMAC-SHA1 of a key and some data
    function core_hmac_sha1(key, data)
    var bkey = str2binb(key);
    if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);

var ipad = Array(16), opad = Array(16);
for(var i = 0; i < 16; i++)
ipad[i] = bkey[i] ^ 0x36363636;
opad[i] = bkey[i] ^ 0x5C5C5C5C;

var hash = core_sha1(ipad.concat(str2binb(data)), 512 + data.length * chrsz);
return core_sha1(opad.concat(hash), 512 + 160);

help appretiated


I’ve tried using POST instead of GET and following everything here exactly:

What do we have to do to make this work?! Why can’t we get a more specific response?


I was using a bad php library that I had to hack to make work, but nothing else I could do would make it start working again after the http api urls started returning 301 a couple days ago.

I decided to try another library and this one seems to work well: tmhOAuth by @themattharris

I don’t have time to figure out what it’s doing differently