OAuth Echo


Dear support,

I’m writing a Twitter based application for iPhone, based on a web service written by me. I need to verify the user credentials, before inserting a new image on my database.

I think that the correct flow is using OAuth Echo, in order to verify user credentials, before updating my database.

However i’m stuck with this operation in two points:

  1. forwarding the X-Verify-Credentials-Authorization from the user request into a fresh forged curl request, like the following:
$header = array(
'X-Verify-Credentials-Authorization: ' . $allHeaders['X-Verify-Credentials-Authorization']
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://api.twitter.com/1/account/verify_credentials.json");
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
$respond = curl_exec($ch);
$response_info = curl_getinfo($ch);

always give me a 401 error.


Ok, just found a solution, one minute ago.

$allHeaders = getallheaders();

$ch = curl_init(“https://api.twitter.com/1/account/verify_credentials.json”);
curl_setopt($ch, CURLOPT_USERAGENT, “myAgent”);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Authorization: ’ . $allHeaders[‘X-Verify-Credentials-Authorization’],

$respond = curl_exec($ch);
$response_info = curl_getinfo($ch, CURLINFO_HTTP_CODE);

return ($response_info == 200);

Now it’s the time for the second question.

This operation is RATE LIMITED on the oauth_token from the user. It’s correct? This’s really important, since my web service need to validate many users.

Thanks for your help!


Hi @valv0,

To help me understand whether OAuth Echo is the right choice for you, can you tell me a bit more about the role Twitter plays in the service you’re authoring? Is Twitter identity the primary form of identity for your web service?

Which version of iOS are you developing with?

Assuming that OAuth Echo was the right choice for you, you would be wanting to take the “X-Verify-Credentials-Authorization” value from the received request and use it as the “Authorization” HTTP header for your outbound request to Twitter (instead of keeping it the same name as you currently are).

Additionally, you wouldn’t want to hard code the verify_credentials end point but instead use the end point indicated by the “X-Auth-Service-Provider” header (which more often than not, will be pointing to account/verify_credentials).


You are correct – rate limits when using an authenticated access token count against that user’s rate limits, not the unauthenticated rate limits.


Hi episod,

Thank you for your quick reply. I’m working with iOS 4.3+ firmware. The application uses Twitter as Authentication provider, in order to authenticate the users (something like to: i need to know if who you tell to be is who you really are).

First, the user insert his credentials into a “login with twitter” screen. The oauth_token and oauth_token_secret are stored into the iOS application and used to forge and sign all requests.

After this first step, if the user want to insert an image in my database, he calls an api web endpoint (http://mywebsite/insertNewPhoto.php).

The aboce php script takes the photo from a POST parameter, but before inserting them into the DB, it checks the headers into the request and makes a call to Twitter, in order to authenticate the user.

To accomplish, this i’ve forged a new CURL request like the one above in my previous post.

I understand about the hard coding issue in your last assertion about X-Auth-Service-Provider. You are right! Sorry, I will fix it asap.

Is this a tipical scenario for OAuth Echo?

Thanks in advance for your help!


This is a great use case for OAuth Echo – you could have taken other approaches that would be a bit more complicated, but this keeps things fairly simple for you. Good luck with the project!


Constantino I have the same task to accomplish you are mentioning here.
How did you solve the “rate limit”-problem?
I would be happy, if you would share your experience and code with me.

Thanks for your reply, Heiko



I solved my problem, since rate limits count against the user’s rate limits, not the application one. So, each user is responsible for his requests.

Since now, I haven’t received any report for rate limits reached. So, I can state that my use case is working correctly.

The app is now live at http://www.strips.to and is available for iOS4.3+.

Good luck with your app!



Hi Costantino. thanks for your quick reply. That is great. So echo is the way I will go too. Would you be so kind and share the iOS-code for sending the the authorization to your web-service with me?

Thanks again. I will keep you posted on my progress. Heiko