PIN-based auth - request_token only works if I already have a token_secret



I have to develop my own library to make calls to the twitter API. Everything was working fine (signed requests, Application-only authentication…) until I tried to implement PIN-based authentication.

I got the entire Authentication flow working, getting a request token, redirecting the user to get a PIN, logging them in and posting requests on their behalf. Here is the catch: I cannot manage properly sign requests to oauth/request_token.

Normally at that step of the authentication, you don’t yet have a OAuth token secret, so there are 2 choices:

  1. Use Application-only authentication, which doesn’t require the token. This gives me a “Request token failed” error at Requests to other URLS work fine.
  2. Use the usual OAuth authorized request format, with a signature in the header. The API says:

Note that there are some flows, such as when obtaining a request token, where the token secret is not yet known. In this case, the signing key should consist of the percent encoded consumer secret followed by an ampersand character ‘&’

Doing this returns a “Invalid or expired token” error. Adding an existing token secret after the & makes the request successful. What am I missing? Should I use 1 or 2?


I’ve been working on this for 3 days and googling like mad, and of course 14s after I finally decide to ask for help, I find the answer… Sorry for the useless post, here is the answer:


Great, glad you found an answer here and thanks for sharing the resolution.