Need an OAuth token secret to get an OAuth token secret? What the heck?


I’ve been trying to implement ‘Sign in with Twitter’, but I’m stuck at trying to work out how to get an OAuth token secret for the user.

The Twitter API docs ( say:

“To start a sign in flow, your application must obtain a request token by sending a signed message to POST oauth/request_token

The body of the response will contain the oauth_token, oauth_token_secret, and oauth_callback_confirmed parameters”

And the docs for creating a signature ( say:

“The value which identifies the account your application is acting on behalf of is called the oauth token secret. This value can be obtained in several ways, all of which are described at Obtaining access tokens.”

And the ‘obtaining access tokens’ page links back to “Implementing Sign in with Twitter”, completing the circle.

How can I obtain a token secret if I need a token secret to sign the request to obtain the token secret? What the heck?


OAuth 1.0A uses the same key/value pairs for all kinds of “oauth tokens” – there are two different kinds of tokens in the OAuth you’re doing: a request token and an access token. Each of these kinds of tokens are actually to key/value pairs, an oauth_token and an oauth_token_secret.

In the request token step you receive a request token made up of an oauth_token and oauth_token_secret. The request token represents a temporary condition of your application, that it is ready to authenticate a user.

In the access token step you exchange that request token for an access token, also made up of an oauth_token and oauth_token_secret. This token represents the end-user and its relationship with your application.


How do I get the oauth/access_token for application only. My application is a dashboard which retrieves the number of subscribers per user. My application does not have username and password because of this. It only show statistics not individual tweets. How can I get the information back. Since 1.1 I lost connection. I tried to use the key and secret from my dev app and was told I couldn’t use that one.

You need to use the oauth_token and oauth_token_secret returned from the
oauth/access_token call instead of the one in your app’s settings in