Intermittent authorization header spacing errors


I’ve received the following error a couple of times today in response to requests:

<?xml version="1.0" encoding="UTF-8"?> InvalidArgumentAuthorization header is invalid -- one and only one ' ' (space) requiredOAuth oauth_consumer_key="PclSN9AX3Z2q4w229MXZmg", oauth_nonce="0b857df53e9d4bce8912ec72a91d7792", oauth_signature="5U81GaUHCAb%2FePj8Xo0wm953qsQ%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1344875688", oauth_token="285041641-HrtJMF7CPSbgXfs07emyywG6lhYxYdp5Qe6OWwpE", oauth_version="1.0"Authorization9FDF64B69006F0DCXB8kzzuHdBwIAGiR7k6jTQE6aXf2u6qTFfFt/+ba960DSbwJTHTww4zwKNByMiRX

An identical request made a few minutes later will often succeed. Here’s an example of the Authorization header for a successful request to the same URL:

OAuth oauth_consumer_key="PclSN9AX3Z2q4w229MXZmg", oauth_nonce="7e2c12666c204c539d5b5e6f9286f495", oauth_signature="J8%2F1lvUe%2BF1OB81FF2%2Bs9jS2BaY%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1344875783", oauth_token="285041641-HrtJMF7CPSbgXfs07emyywG6lhYxYdp5Qe6OWwpE", oauth_version="1.0"

There’s no difference that I can work out (there are definitely no repeated spaces in the failing requests). These are requests for profile images, if that makes a difference (I’m aware I don’t actually need to authorize those, but I’m concerned this is a more general bug in my OAuth code).

My code is here, in Python/Qt:

Have I missed something about the header or in my code, or is this a Twitter issue?


Which specific API methods were you calling at the time this happened? Are you doing your requests through any kind of proxy?


These were profile image requests (using the HTTPS url). I haven’t observed the issue with any other requests, but it’s very infrequent and I’ve made a lot more profile image requests than other requests. (I realise it’s possible that this is just an issue with authorising profile image requests and the solution is to stop doing that, but I’d like to be sure it’s not a more general issue first.)

I’m not behind a proxy or anything.


Is this to calls on’s profile image redirect method or on the profile images themselves? If it’s the latter, you really should just not include authorization on the request – as you may be seeing, it may cause some unpredictable results.


It’s the direct URL, yeah, from the user JSON object. I’ll stop that authing, then. Thanks!