Getting 401 Unauthorize when registering Webhook

webhooks

#1

Hello,

I am trying to register webhook for my Twitter app, but every time I send a request I receive 401 Unauthorized response.

I tried to send url as query param and as request body with content type header “application/x-www-form-urlencoded”.

It is strange, because when I call GET https://api.twitter.com/1.1/account_activity/webhooks.json I 200 status code with empty response body. I expect empty response body, since I do not have any webhook configured yet.

update:
Detailed error message is:

{
    "errors": [
        {
            "code": 32,
            "message": "Could not authenticate you."
        }
    ]
}

Best regards,
Chris


#2

Are you whitelisted for access?
Also make sure you are trying with the twurl – it works pretty consistently and that will eventually be recommended.


#3

I have beta access to the Account Activity AP:

Great news! We’ve granted you beta access to the Account Activity API. The app ID you submitted in your application now has the ability to access the webhooks.

I tried with twurl. Response is:

{  
   "errors":[  
      {  
         "code":214,
         "message":"Non-200 response code during CRC GET request (i.e. 404, 500, etc)."
      }
   ]
}

Now I am wondering if it is server configuration issue - my crc_token endpoint was not hit, at least I do not see anything in logs. I do not own Or maybe it is just wrong endpoint definition.

I have two endpoints:
POST <BASE_URI>/twitter/webhook
GET <BASE_URI>/twitter/webhook - accepts crc_token as query param

Sample curl for GET endpoint

curl --request GET \
  --url '<BASE_URI>/twitter/webhook?crc_token=<crc_token>'

#4

Update number 2.

Little progress, but still not working webhook registration. My problem was that my API was secured and all calls from Twitter API were unauthorized. Now the problem is with CRC token value or json format.
Sample responses from my service:

{
    "response_token": "sha256=ojxyskCc4wQJgYcsxnt+9oaR38Q="
}
{
    "response_token": "sha256=tsXrbLNRJ/u36/2dniuiP5ZyiGg="
}

And response body for twurl /1.1/account_activity/webhooks.json -d ‘url=<BASE_URI>/twitter/webhook’ -t

{  
   "errors":[  
      {  
         "code":214,
         "message":"Webhook URL does not meet the requirements. Invalid CRC token or json response format."
      }
   ]
}

To calculate response_token I use same algorithm as for creating signature during authorizing requests.
This is code used to calculate response_token:

 public String encode(String source, String consumerSecret) {
        try {
            byte[] keyBytes = consumerSecret.getBytes();
            SecretKey secretKey = new SecretKeySpec(keyBytes, "HmacSHA1");
            Mac mac = Mac.getInstance("HmacSHA1");
            mac.init(secretKey);
            final byte[] text = source.getBytes();
            return new String(Base64.encodeBase64(mac.doFinal(text))).trim();
        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
            throw new RuntimeException("Could not encode");
        }
    }

#5

Update number 3

Finally i was able to register webhook from twurl. Problem was encode method from previous post. With updated method it finally worked.

 public String encode(String source, String consumerSecret) {
        try {
            byte[] keyBytes = consumerSecret.getBytes();
            SecretKey secretKey = new SecretKeySpec(keyBytes, "HmacSHA256");
            Mac mac = Mac.getInstance("HmacSHA256");
            mac.init(secretKey);
            final byte[] text = source.getBytes();
            return new String(Base64.encodeBase64(mac.doFinal(text))).trim();
        } catch (NoSuchAlgorithmException | InvalidKeyException e) {
            throw new RuntimeException("Could not encode");
        }
    }

Now I try to do same from code and I still get 401 unauthorized. It looks that generating signature is not valid for endpoint /1.1/account_activity/webhooks.json
When it is valid for /oauth/resuest_token, /oauth/access_token, /1.1/account/verify_credentials.json endpoints.

Should I add also request body to signature generation?


#6

I solved my problem with webhooks registration. Last missing part was not encoded url parameter added to signature base string.