It must be so simple: 401 Unauthorized on Request Token


Have been scratching my head for all day on this one. As soon as I set an Callback URL during the request_token POST I get a 401.


  1. No callback URL works fine (default callback URL on the Application is used)
  2. Callback URL set to “oob” works kinda fine (provides PIN)
  3. Callback URL set to “” tried to redirect Twitter to “
  4. Adding a forward slash to “” causes 401 (ie. “”)

Here is my base string used to create the signature:

POST&< my key :wink: >%26oauth_nonce%3DNjM1MDEyNzQxNjg3ODEzMTc1%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1365641369%26oauth_version%3D1.0

Here are my OAuth headers:

OAuth oauth_callback=“http%3A%2F%2F127.0.0.1%2Fsign-in-with-twitter%2F”,
oauth_consumer_key="< my key :wink: >",

No capitalization issues on the encoded URLs, as you can see. I have a default callback URL setup in the Twitter Application.

Not sure what else to try. Only other suggestion I have seen is to try and create a new application.


Indeed it was simple, although not entirely logical to my mind.

I simply needed to double encode the the Callback URL - which makes sense given the observation related to adding a forward slash - when putting together the base string used to generate the oAuth signature.

Hopefully this is helpful for others, as it’s certainly not what I would expect… I would expect exact matching values on all fields between the base string and the headers. All good.