How to solve “Failed to validate oauth signature and token” for "Using Reverse Auth" (iOS twitter framework)


How to solve “Failed to validate oauth signature and token” for “Using Reverse Auth”. My system time is true, but server response is wrong.
Can anybody help me? Please, any idea…

I have got my code:

NSNumber *timeStamp = [NSNumber numberWithDouble:[[NSDate date] timeIntervalSince1970]];

        NSDictionary *params = [[NSMutableDictionary alloc] init];
        [params setValue:kOAuthConsumerKey forKey:@"oauth_consumer_key"];
        [params setValue:self.uuid forKey:@"oauth_nonce"];
        [params setValue:@"HMAC-SHA1" forKey:@"oauth_signature_method"];
        [params setValue:[NSString stringWithFormat:@"%d", timeStamp.integerValue] forKey:@"oauth_timestamp"];
        [params setValue:@"1.0" forKey:@"oauth_version"];
        [params setValue:@"reverse_auth" forKey:@"x_auth_mode"];
        [params setValue:@"oauth_token" forKey:kOAuthToken];
        NSLog(@"PARAMS :%@", params);
        NSString *baseUrl = [NSString stringWithString:@""];

        NSURL *url = [NSURL URLWithString:[NSString stringWithFormat:@"%@", baseUrl]];
        TWRequest *request = [[TWRequest alloc] initWithURL:url parameters:params requestMethod:TWRequestMethodPOST];

        [request performRequestWithHandler:^(NSData *responseData, NSHTTPURLResponse *urlResponse, NSError *error){
                NSLog(@"%@", urlResponse.URL.absoluteString);
                if ([urlResponse statusCode] == 200){
                        // The response from Twitter is in JSON format
                        // Move the response into a dictionary and print
                        NSError *error; 
                        NSDictionary *dict = [NSJSONSerialization JSONObjectWithData:responseData options:0 error:&error];
                        NSLog(@"Twitter response: %@", dict);                                           
                        NSLog(@"DATA STRING: %@", [[NSString alloc] initWithData:responseData encoding:NSUTF8StringEncoding]);
                        NSLog(@"Twitter error, HTTP response: %i", [urlResponse statusCode]);

Console output:
“include_entities” = 1;
rebelmouse[4730:1550b] PARAMS :{
“oauth_consumer_key” = XXXXXXXXXXXXX;
“oauth_nonce” = “A14D693B-609E-4D89-961A-76C4ED9776F3”;
“oauth_signature_method” = “HMAC-SHA1”;
“oauth_timestamp” = 1340633451;
“oauth_version” = “1.0”;
“x_auth_mode” = “reverse_auth”;
DATA STRING: Failed to validate oauth signature and token
Twitter error, HTTP response: 401


I’ve not dug in deeply yet to this, but out of curiosity, are you passing include_entities=1 as a parameter to this method? The oauth/* methods probably shouldn’t have this parameter sent to it – I don’t see you setting it in your code, but that output of yours shows it and maybe there’s something related to that?


It looks like you’re not actually signing the request to /request_token, you’re just passing the OAuth params via a POST. I also don’t recommend using TWRequest for any of your own signing operations (i.e. when you pass your own consumer key and secret), since the platform does signing of its own that is out of your control.

I have an example project at that shows how to perform the full process. You’ll notice that the call to /request_token is made by own request class, and then the second step, to obtain the user’s token and secret, is made using TWRequest.


No, first output PARAMS refer to another hidden method.
See secondary PARAMS :{
“oauth_consumer_key” = XXXXXXXXXXXXX;
“oauth_nonce” = “A14D693B-609E-4D89-961A-76C4ED9776F3”;
“oauth_signature_method” = “HMAC-SHA1”;
“oauth_timestamp” = 1340633451;
“oauth_version” = “1.0”;
“x_auth_mode” = “reverse_auth”;


@theSeanCook, I see this project, but it don’t work with me. I receive:

<?xml version="1.0" encoding="UTF-8"?>

Client is not permitted to perform this action

ReverseAuth[1172:15703] [Error]: (null)
ReverseAuth[1172:15703] [Error]: Response Code:403 “forbidden”

I think I find error in your program. The values authToken, _authTokenSecret are empty when you call the method OAuthorizationHeader. But when I set the values than I receive message from server:
Failed to validate oauth signature and token


Have you submitted a request to to obtain the reverse auth permission for your application? If not, make sure you have read [node:2354].


What are the correct values to place in _authToken, _authTokenSecret ?

With these left empty the response from the server is FORBIDDEN

With these set to access token and access token secret for our app (ie the ones corresponding to our consumer key/secret) we get “Client is not permitted to perform this action”

However randomizing those values produces the same result… so what is supposed to go there?


Scratch that. I have established that although Twitter support say that our app is definitely enabled for reverse_auth, we always get Stage 1 response:

<?xml version="1.0" encoding="UTF-8"?> Client is not permitted to perform this action

This is using the example project at


I am having the same problem with example project at

Our app is definitely enabled for reverse auth but we always get Stage 1 response: <?xml version="1.0" encoding="UTF-8"?>

Client is not permitted to perform this action


Did you ever manage to solve this? We have just got the email from Twitter saying that our account has been enabled for reverse auth but I keep getting this error.


Are you seeing this error when using the example project listed above?

The only place where you need to edit the project is to add your consumer key and secret (the pair that was enabled for reverse auth).

You do this in TWSignedRequest.m:


Check your system clock –


Just a heads up, I had to add the x_auth_mode to both the header and the post body. It was the only way I could make it work.

Here is an example using AFNetworking + AFOAuth1Client

AFOAuth1Client *twitterClient = [[AFOAuth1Client alloc] initWithBaseURL:[NSURL URLWithString:@“”] key:@“key” secret:@“secret”]; //<<— put info here

NSMutableDictionary *parameters = [[twitterClient OAuthParameters] mutableCopy];
[parameters setValue:@"reverse_auth" forKey:@"x_auth_mode"];

[self addLine:parameters];

NSMutableURLRequest *request = [twitterClient requestWithMethod:@"POST" path:@"/oauth/request_token" parameters:parameters];
[request setHTTPBody:[@"x_auth_mode=reverse_auth" dataUsingEncoding:NSUTF8StringEncoding]];

AFHTTPRequestOperation *operation = [twitterClient HTTPRequestOperationWithRequest:request success:^(AFHTTPRequestOperation *operation, id responseObject) {

// AFOAuth1Token *accessToken = [[AFOAuth1Token alloc] initWithQueryString:operation.responseString];

    NSDictionary *step2Params = [[NSMutableDictionary alloc] init];
    [step2Params setValue:@"key" forKey:@"x_reverse_auth_target"]; //<<--- and here
    [step2Params setValue:operation.responseString forKey:@"x_reverse_auth_parameters"];
    SLRequest *iosrequest = [SLRequest requestForServiceType:SLServiceTypeTwitter requestMethod:SLRequestMethodPOST URL:[NSURL URLWithString:@""] parameters:step2Params];
    [iosrequest setAccount:account];
    [iosrequest performRequestWithHandler:^(NSData *responseData, NSHTTPURLResponse *urlResponse, NSError *error) {

        NSString *responseStr =
		[[NSString alloc] initWithData:responseData
        // see below for an example response
        [self addLine:[NSString stringWithFormat:@"The user's info for your server:\n%@", responseStr]];
} failure:^(AFHTTPRequestOperation *operation, NSError *error) {
    [self addLine:[NSString stringWithFormat:@"%@",error]];

[twitterClient enqueueHTTPRequestOperation:operation];


@theSeanCook; i tried to use your demo but i have the same problem too, in step 2 i get the response below;

Printing description of step2Params:
“x_reverse_auth_parameters” = “Failed to validate oauth signature and token”;
“x_reverse_auth_target” = xxxxxxx;

And then i get this error response;
I’ve read your reply in an other discussion that we don’t need to request reverse_auth for our applications anymore. So i haven’t requested for this. What should i do?
Thanks for your help.

__53-[TWViewController actionSheet:clickedButtonAtIndex:]_block_invoke
Reverse Auth process returned: <?xml version="1.0" encoding="UTF-8"?>

Client is not permitted to perform this action


I’m getting the exact same thing as @seymatanoglu. Step 1 just says Failed to validate oauth signature and token…


I just fixed it by doing what @foticious did. I added x_auth_mode=reverse_auth to the Authorization Header AND the post body. I don’t think this is mentioned in the docs. The sample app pretty much just doesn’t work either.


Thanks, super helpful.

Shouldn’t this be in the docs?