Invalid response token



Hi, I have been trying to use the Account Activity API but keep getting a “Webhook URL does not meet the requirements” error.

I know that it isn’t response time. Testing the website on pingdom gives a latency of less than one second and the Twitter API responds in less than a second with the error.

I am sure that it is the response token but I don’t know why it isn’t working. I followed the guide one of the twitter staff recommended in this post Validating CRC for Webhooks to create my response token.

public function get ( Request $request )
        return response ()->json ([
            'response_token'    =>  'sha256=' . base64_encode ( hash_hmac ( 'sha1' , $request->input ( 'crc_token' ) , env ( 'TWITTER_SECRET' ) , true ) ),
        ], 200 );

Using the crc_token: MzkxMjdiNDctODBmZi00YTJiLWFmM2UtM2NjOTllZDg3OGI2
My server gives the response: {"response_token":"sha256=mfD4IDOTTX0NsqNxpk0xHHTQUZI="}

I hope that one of you can help :smiley:


I think one thing Twitter can do is to improve the API by making the message in the response even more detailed. “Webhook URL does not meet the requirements” is too vague and does not help the developer with troubleshooting. I really don’t see why the message cannot be more detailed.

I posted about my similar issue on this other thread and I actually noticed that the issue was not a matter of latency. This is because my webhook URL did not receive a CRC validation request from Twitter during the webhook creation attempt. So that leaves me feeling like there might either be a general problem with the security checks on Twitter or it’s some problem with the SSL validation of the website.


Hmm. I took a careful look at your sample and realised that you might be making a small mistake.

You’re doing a SHA1-HMAC hash instead of a SHA256-HMAC hash.

Try correcting that and then try again.


That worked, thank you so much. As for your problem with not receiving a CRC validation request, have you tried calling the API in an application like postman and not URL encoding your webhook link. Despite what the documentation says every time I tried to pass a URL encoded link my server would never receive a request however when I pass a non URL encoded link it works fine.


Good for you. I’m happy my suggestion helped.

Yes. I also realised that contrary to what the docs say, the request will fail with an encoded URL. So, I did not encode my URL.

What’s peculiar about my own scenario is that in the same application, webhook creation works when the application is deployed on my localhost behind a ngrok proxy, but it does not work when I deploy to my web server hosted online.

Both instances have valid HTTPS certificates, so I’m quite confused TBH.