Http 403 - Forbidden and code 99 (authenticity_token_error)



I want to implement application only authentication for twitter in Java, just the way it is descried in this documentation: .

My Java code to obtain the bearer token looks like this:

String consumerKey = URLEncoder.encode(RandomStringUtils.randomAlphabetic(15));
String consumerSecret = URLEncoder.encode(RandomStringUtils.randomAlphabetic(25));
String credentials = consumerKey + ":" + consumerSecret;
String credentialsEncoded = Base64.encodeToString(credentials.getBytes("UTF-8"), Base64.NO_WRAP);
Log.d(DEBUG_TAG, "credentials = " + credentials);
Log.d(DEBUG_TAG, "credentialsEncoded = " + credentialsEncoded);

URL url = new URL("");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestProperty("User-Agent", "My Twitter App v1.0.23");
conn.setRequestProperty("Host", "");
conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8");
conn.setRequestProperty("Authorization", "Basic " + credentialsEncoded);
conn.setRequestProperty("Accept-Encoding", "gzip");
OutputStream os = conn.getOutputStream();
BufferedWriter writer = new BufferedWriter(new OutputStreamWriter(os, "UTF-8"));
int responseCode = conn.getResponseCode();
Log.d(DEBUG_TAG, "responseCode = " + responseCode);
Log.d(DEBUG_TAG, "conn.getResponseMessage() = " + conn.getResponseMessage());
String line = null;
String response = "";
BufferedReader br = null;
try {
        br = new BufferedReader(new InputStreamReader(conn.getInputStream()));
} catch (Exception ex) {
        br = new BufferedReader(new InputStreamReader(conn.getErrorStream()));
} finally {
        while ((line = br.readLine()) != null) {
            //Log.d(DEBUG_TAG, "line = " + URLDecoder.decode(line,"UTF-8"));
            response += line;
Log.d(DEBUG_TAG, "response = " + URLDecoder.decode(response, "UTF-8"));

Unfortunatley the output is always like this:

responseCode = 403
conn.getResponseMessage() = Forbidden
response = ����������������Q�0�޷�{�Y�SC�,l�B�^�����Z��<u&����a��^�G�)3��/---4�-D���IrE�,�����mc�6��Y��������������$�{i������

Is something wrong with my implementation? Did I understand the documentation in a wrong way?


OAuth can be tricky - I’d recommend looking at Twitter4J’s implementation, or (since you’ve tagged this as “android”), looking at Twitter Kit, which we provide as a native SDK for Android with source code available on Github.


Thanks for your tip. I will look into that.

But can you tell me exactly whats wrong with my Code?

I found many posts describing the same problem, but none of the solutions did work for me.


Ok I implemented something with the Android Twitter Kit:

TwitterConfig config = new TwitterConfig.Builder(this)
                .logger(new DefaultLogger(Log.DEBUG))
                .twitterAuthConfig(new TwitterAuthConfig(
TwitterApiClient twitterApiClient = TwitterCore.getInstance().getApiClient();
StatusesService statusesService = twitterApiClient.getStatusesService();
Call<List<Tweet>> timelineCall = statusesService.userTimeline(null, "twitterapi", null, null, null, null, null, null, null);
timelineCall.enqueue(new Callback<List<Tweet>>() {
            public void success(Result<List<Tweet>> result) {
                System.out.println("success, result = " + result);

            public void failure(TwitterException exception) {
                System.out.println("failure, exception = " + exception);

But i still get a 403 respectively 400 error:

**E/Twitter: Failed to get app auth token**
**  HTTP request failed, Status: 403**
**               at**
**               at retrofit2.ExecutorCallAdapterFactory$ExecutorCallbackCall$1$**
**               at android.os.Handler.handleCallback(**
**               at android.os.Handler.dispatchMessage(**
**               at android.os.Looper.loop(**
**               at**
**               at java.lang.reflect.Method.invoke(Native Method)**
**               at$**
**               at**
**I/System.out: failure, exception = HTTP request failed, Status: 400**

This is strange the exception tells me its 400, but the api exception Stacktrace tells me its 403.

whats going on here?


And also i have tried Twitter4j which leaves me with the same error message.

this is my Twitter4j implementation:

ConfigurationBuilder builder;
builder = new ConfigurationBuilder();
Twitter twitter = new TwitterFactory(;
twitter.setOAuthConsumer(RandomStringUtils.randomAlphanumeric(20), RandomStringUtils.randomAlphanumeric(40));
OAuth2Token token = twitter.getOAuth2Token();
Log.d(DEBUG_TAG,"token.getTokenType() = " + token.getTokenType());

And the resulting error message:

W/System.err: 403:The request is understood, but it has been refused. An accompanying error message will explain why. This code is used when requests are being denied due to update limits (
W/System.err: message - Unable to verify your credentials
W/System.err: code - 99
W/System.err: Relevant discussions can be found on the Internet at:
W/System.err: or
W/System.err: TwitterException{exceptionCode=[13ec0412-15971965], statusCode=403, message=Unable to verify your credentials, code=99, retryAfter=-1, rateLimitStatus=null, version=4.0.6}
W/System.err:     at twitter4j.HttpClientImpl.handleRequest(
W/System.err:     at twitter4j.HttpClientBase.request(
W/System.err:     at
W/System.err:     at twitter4j.auth.OAuth2Authorization.getOAuth2Token(
W/System.err:     at twitter4j.TwitterBaseImpl.getOAuth2Token(
W/System.err:     at$override.downloadHTML(
W/System.err:     at$override.static$access$000(
W/System.err:     at$override.access$dispatch(
W/System.err:     at$000(
W/System.err:     at$1$override.doInBackground(
W/System.err:     at$1$override.access$dispatch(
W/System.err:     at$1.doInBackground(
W/System.err:     at$1.doInBackground(
W/System.err:     at android.os.AsyncTask$
W/System.err:     at
W/System.err:     at android.os.AsyncTask$SerialExecutor$
W/System.err:     at java.util.concurrent.ThreadPoolExecutor.runWorker(
W/System.err:     at java.util.concurrent.ThreadPoolExecutor$
W/System.err:     at


OMG i found the problem.

you have to register at to get the Consumer Key and Secret. You cant just genereate a Random String and use it as Consumer key and secret.

The documentation is unclear about that in my opinion.


Ah - yes, absolutely you need an app consumer key and token.

I’d be happy to clarify the documentation. Where would you suggest this should be made more clear (documentation page links?). Sorry you were confused about this!


thanks for some feedback. No need to be sorry for that.

I think an entry on this page under the paragraph Issuing application-only requests as a Step 0 would be appropriate. Something along these lines:

Step 0:
To obtain a Consumer and Secret Key go to the page:
Input the stuff there and obtain the keys…

(this is not really meant to be copy&pasted into the docs)


Got it - thanks for the suggestion.