I can't get Twitter's OAuth Test to work


Hi all,

I’m at the bottom of the learning curve for using the REST API v1.1.

Here’s what I’ve done so far, and a description of the sumbling block which has completely defeated me:

I created an App, then given it “read, write and directe messages” permissions. Then I regenerated the API keys and OAuth tokens.

I downloaded the Abraham Twitter OAuth library from https://github.com/abraham/twitteroauth. I cannot get any of the function calls to work. The all report “invalid or expired token”.

I went to the app management page for my app and clicked “Test OAuth”.

I want to test it with something simple, so under Request Settings, I choose Request Type “GET” and Request Query “account/verify_credentials”.

Then I click “see OAuth Signature for this request”.

Among the data that is presented to me, I see the curl command to use. It looks like this (edited to hide the keys and the signature):

curl --get 'https://api.twitter.com/1.1/' --data 'account%2Fverify_credentials=' --header 'Authorization: OAuth oauth_consumer_key="XXXXXXXXXXXXXXXXXXXX", oauth_nonce="f187b1a421600e88ffebeed19b6c1fbf", oauth_signature="XXXXXXXXXXXXXXXXXX", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399538823", oauth_token="XXXXXXXXXXXXXXXXXXXXXXXX", oauth_version="1.0"' --verbose

So, I copy-and-paste this IMMEDIATELY (i.e. so that the timestamp does not expire) to my terminal (I’m using Debian), and I get the following response (again, edited to remove keys and signature), where you can see down the bottom it says, once again, “Invalid or expired token”:

* About to connect() to api.twitter.com port 443 (#0)
*   Trying connected
* Connected to api.twitter.com ( port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
* 	 subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; OU=Twitter Security; CN=api.twitter.com
* 	 start date: 2014-04-08 00:00:00 GMT
* 	 expire date: 2014-10-10 23:59:59 GMT
* 	 subjectAltName: api.twitter.com matched
* 	 issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3
* 	 SSL certificate verify ok.
> GET /1.1/?account%2Fverify_credentials= HTTP/1.1
> User-Agent: curl/7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/ libidn/1.15 libssh2/1.2.6
> Host: api.twitter.com
> Accept: */*
> Authorization: OAuth oauth_consumer_key="XXXXXXXXXXXXXXXXXX", oauth_nonce="f187b1a421600e88ffebeed19b6c1fbf", oauth_signature="XXXXXXXXXXXXXXXXXXXXXX", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399538823", oauth_token="XXXXXXXXXXXXXXXXXXXXXXXXXXX", oauth_version="1.0"
< HTTP/1.1 401 Unauthorized
< content-length: 25
< content-type: text/plain
< date: Thu, 08 May 2014 08:47:38 UTC
< server: tfe
< set-cookie: guest_id=v1%3A139953885863095383; Domain=.twitter.com; Path=/; Expires=Sat, 07-May-2016 08:47:38 UTC
< strict-transport-security: max-age=631138519
Invalid or expired token
* Connection #0 to host api.twitter.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

What confuses me completely is that I have submitted Twitter’s own curl command back to Twitter and it has rejected it!!!

Any ideas??? I am completely stuck at this point.


It looks like you are using account%2Fverify_credentials= as the path when it should probably be account/verify_credentials.json