POST oauth/request_token: Failed to validate oauth signature and token


Hello, I get “401 unauthorized” with “Failed to validate oauth signature and token” in my POST oauth/request_token. I’m using the same OAuth functions I have used in other calls and they work there, so I don’t think the problem is here (though it might be, as oauth parameters are different here than in other calls).

This is my request (I changed my app consumer key to post it here):

Authorization: OAuth oauth_callback=“oob”, oauth_nonce=“NjM0OTczNDc3MDQ2NjA3MjMx”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1361747305”, oauth_consumer_key=“MY_CONSUMER_KEY”, oauth_signature=“vuaGELvkMd%2BpDYEYvYo3Rj9EXwk%3D”, oauth_version="1.0"
Connection: Keep-Alive

It’s a desktop application, and in my app setting at dev.twitter I set Callback URL to blank, as I understand desktop applications don’t use his url callback parameter.

Can you see anything wrong in this request?

Thank you


This looks correct from as much as I can see on this end. Usually when this kind of thing fails though, it’s because of the signature base string. You may want to make sure you’re sending Content-Length: 0 on a POST without a body. Depending on the library you’re using, there might be something going on with not including oauth_callback as a query or POST parameter.


Well, issue solved, I post the solution in case someone finds the same problem.

Usually, when generating OAuth signature, the compositeKey used to generate hash is obtained like this (this is VB.NET):

compositeKey = String.Concat(Uri.EscapeDataString(oauth_consumer_secret), "&", Uri.EscapeDataString(oauth_token_secret))

When calling POST oauth/request_token, as we don’t have a oauth_token_secret yet, the compositeKey is generated like this:

compositeKey = String.Concat(Uri.EscapeDataString(oauth_consumer_secret), "&")

At first, I was omitting the final “&” and it resulted to be required to generate a valid compositeKey and OAuth signature.

Happy coding!



I hope someone can help me? I am stuck within the same problem.

This is my request:
Headers -
oauth_callback: oob
oauth_signature: 4yAvreUerTeHHzIjze9y5zOUHL0%3D
oauth_nonce: g2DUQtXB1tsq93VDG8/1+A==
oauth_version: 1.0
oauth_signature_method: HMAC-SHA1
oauth_consumer_key: mE7K7J1RSFK37HmESCxWXw
oauth_timestamp: 1363074775
Request parameters -

The server response (including headers):
X-Runtime: 0.01961
X-Transaction: 5d6fe0fcbb98c7a8
Content-Length: 44
Expires: Tue, 31 Mar 1981 05:00:00 GMT
X-MID: 70bf59709152195c551772b7b46f81fcbfc41c81
Last-Modified: Tue, 12 Mar 2013 07:53:00 GMT
Set-Cookie: guest_id=v1%3A136307478028373239;; Path=/; Expires=Thu, 12-Mar-2015 07:53:00 UTC
Server: tfe
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Pragma: no-cache
Status: 401 Unauthorized
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
Date: Tue, 12 Mar 2013 07:53:00 GMT
Content-Type: text/html; charset=utf-8
Protocol version: 1.1
Status line: 401 Unauthorized
Failed to validate oauth signature and token

I checked my timestamp; it is in GMT and around 5 seconds smaller than the timestamp generated by the server (including connection latency). I’m living in germany, but submitting a GMT timestamp is correct, isn’t it?

I checked the implementation of my key & signature algorithm by Twitter’s tutorial and the examples given @ . It seems to work correctly…

I did not include a token at the end, but I was appending an “&”.
This is what my unencrypted signature looks like:

My signature:

I am developing in Java without former twitter/oauth libraries (not applicable for my situation). I would love to see a working signature example in Java… I could also provide the application keys & secrets (that will be resetted after that, of course) to let you check on my signature algorithm.

One question: Does the key have to be URLEncoded (percentage encoded) before using it to encrypt the signature?

You may find my javacode to generate the signature over here:
(EncodeUtil.encodePercentage works, that’s for sure; EncryptionUtil.encryptHmacSHA1 works, too, I checked that with sample data and got the correct output)

Best greetings,
Martin Bories