Invalid or expired token


Hi a few of my users are experiencing the error “Invalid or expired token.”. I understand what the message means, I just wonder if something may be causing this to happen for some people. My website has not been modified in any area that should affect it.

Is there a way to regenerate their tokens? Would them de-authorising my app and re-authorising it help in any way?

My App is authorised multiple times

I can think of a couple of issues that could cause this:

  • the user manually invalidated the token via their Settings->Apps page
  • there was some time drift or change which caused the tokens to appear expired.

Doing that de-auth/re-auth dance could well resolve it - doesn’t help to identify the reason why this is happening in the first place, though.

(moving to the OAuth category since this is more related to that area)


Thanks for the reply.

De-auth/re-auth does seem to ‘fix’ it, when it happened to me, but it’s hard explaining how to do it to average users. It’s very odd as nothing in that area of code was changed. It happened within a few minutes of logging in and worked for a while and then just got that error from then onwards.

Another oddity is that my wife uses it, but it doesn’t show in her list of authorised apps. She went to the app list and it wasn’t there for her! She then revoked numerous apps that she no longer uses and refreshed the page and it still wasn’t there! Even when she logs in now - it still isn’t there!


Nope it still seems to be happening sporadically. Some people say it still happens after a de-auth and re-auth. There doesn’t seem to be any pattern to it.

I am using PHP, and originally used the Abraham Williams’s library but I changed to tmhOAuth from “themattharris” to see if it helped - it didn’t.

It’s unlikely people are randomly invalidating it as I get the token when people log in via Twitter and the token is only stored in the PHP session while at the site. Their session and, therefore, token is disposed of until they next log in.

Time drift is mentioned here and there but I don’t think it’s the case. If I do a random call (say “statuses/home_timeline”) and look at the entire response. I can see:

{“errors”:[{“code”:89,“message”:“Invalid or expired token.”}]}

As well as

[date] => Fri, 19 Jun 2015 13:35:18 GMT

in the response.
As a unix timestamp that’s

In the same PHP script I echo’d the date on computer and it’s
Fri, 19 Jun 2015 14:35:18 BST
As a unix timestamp that’s
It’s the same time.

I’ve made the script email me when this error happens along with the tokens that are in their session and the tokens look like tokens - not truncated or anything.

What else would cause tokens to become invalid?


The site worked without this error from 7pm (UK time) on Friday until Sunday at 10pm :confused:

This is crazy!

All of a sudden the error cropped up again. I’ve checked the webhost server time and it matches my clock. And it works for some people and not others :confused:


And… it worked for almost 3 days in a row… and I’m getting it again :frowning:


And several more people say it’s not in their authorised apps list…


Now one final stange thing. It seems to be certain actions with particular tweets that break the token. Following seems to always work. I haven’t extensivly tested that, but it seems to be the case. It seems to be Retweeting certain tweets that cause it, and then any further actions will all fail.

In one session I could:
Follow: @London366
Follow: @DiscountSupp
But if I RTed:
The token was now invalid. And wouldn’t work anymore.

After unfollowing and un-retweeting (manually on, it did it again and again. No matter what order I did these things it was always the RT of that broke the token.


I may have an answer…

The token seems to get invalidated after a “This request looks like it might be automated. To protect our users from spam and other malicious activity, we can’t complete this action right now. Please try again later.” error (code #226)

This error (on my app) only seems to get triggered with a RT, I’ve not had it after a tweet etc.

So the RT fails for this reason and then any further actions get the “Invalid or expired token.” error.

So after getting the 226 error I can just pop up a “re-login” message and then they can continue.

This invalidating the token behaviour must be new as I’m certain it didn’t work this way previously. It makes sense as it would prevent a spammy website abusing a Twitter account as much as it could do. It’s just annoying that it changed with no warning.

It doesn’t explain the missing app on the “my apps page”…



I think we are having the same issue with our app. User’s tokens getting unauthenticated when they retweet a particular tweet. However the issue with that tweet is gone if we try again after a few hours.

Are you able to find the root cause of this strange issue as there is no explanation by Twitter?

Thanks for your help.


No, no specific explanation. Everything just started working reliably again.