POST oauth2/token && Application-only authentication Always 404


I’m trying to migrate to this type of auth, and using my curl for the token I constantly receive 404 not found

my code is the following:
curl --request ‘POST’ ‘’ --header 'Authorization: “Basic QUI4NkczTFd///==”, Content-Type: “application/x-www-form-urlencoded;charset=UTF-8” ’ --data “grant_type=client_credentials” --verbose

I url-encoded and added the semicolon between my key and my secret, base64 it and add it to the headers.
And followed the guide-lines in the documentation

What am I doing wrong?



I’m working to resolve this quickly. It’s a problem on our (Twitter’s) side.


Great, I’ll try again later.

Thank you for the quick reply.


I am also working on getting a bearer token for my iOS app and am getting a 403 error with the message {“code”:99,“label”:“authenticity_token_error”,“message”:“Unable to verify your credentials”}.

I am making a POST request to with postData “grant_type=client_credentials”, application/x-www-form-urlencoded;charset=UTF-8 for Content_Type, g-zip for Accept-Encoding.

I am also adding a BASIC Authentication header (Basic XXXXXXXXXXXXX == for key Authorization) created by : base64encoded (have also tried url encoding before base64encoding).

If you can offer any insight to where I am going wrong it would be much appreciated!

Thanks -


Hi guys, I have the same results as g_low, have you already solved this issue?



For me this error was solved a day after I made the post.
Since now I’m using the same bearer token it might have gone down again without me noticing.


Has this been fixed?


I just tried to make a connection as mentioned above but without the double quotes around Authentication value and Content-Type values and it worked.

curl --request ‘POST’ ‘’ --header 'Authorization: Basic NlZv/////ZVk=, Content-Type: application/x-www-form-urlencoded;charset=UTF-8 ’ --data “grant_type=client_credentials” --verbose


This works for me as well, but how to translate this into actual code? On OSX, NSMutableURLRequest doesn’t have an option to just leave off the double quotes. It seems excessively strict that it only works this way.


I am still seeing this issue. I’ve double checked my encoding as per and it is correct. Anyone else still seeing this?


So how did you solve the issue. I am facing the same here.


Yep, also seeing this.

This works fine:

curl -u $key:$secret -d grant_type=client_credentials

(I hadn’t noticed that base64 was wrapping my key)


I’m having the same problem, it seems to ignore the grant_type in the POST body. However, it works when I POST to it but with the grant_type as a request param on the url:


I am still seeing this issue. I’ve double checked my encoding as per and it is correct.same problem,have you already solved this issue?


Hey I am getting 500 Internal Server Error Forbidden when I am trying to send Post oauth2/token…Can you please help me with this?

Below is the code:

HttpClient httpclient = new DefaultHttpClient(); String consumer_key="consumer_key"; String consumer_secret="consumer_secret"; consumer_key=URLEncoder.encode(consumer_key, "UTF-8"); consumer_secret=URLEncoder.encode(consumer_secret,"UTF-8"); String authorization_header_string=consumer_key+":"+consumer_secret; byte[] encoded = Base64.encodeBase64(authorization_header_string.getBytes()); String encodedString = new String(encoded); //converting byte to string HttpPost httppost = new HttpPost(""); httppost.setHeader("Authorization",encodedString); List parameters = new ArrayList(); parameters.add(new BasicNameValuePair("grant_type", "client_credentials")); httppost.setEntity(new UrlEncodedFormEntity(parameters)); httppost.setHeader("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8"); ResponseHandler responseHandler = new BasicResponseHandler(); String responseBody = httpclient.execute(httppost, responseHandler);


I had the same problem. i needed to send the grant type in the url and not the post body.


You’re setting the Authorization header incorrectly.

Line #10 should be:

httppost.setHeader("Authorization", "Basic " + encodedString);


Same issue on iOS. Anyone solved this?


I can confirm that the ‘curl -u $key:$secret’ works for me. When examining the output, it turns out that the base64 encoded Authentication header is a few bytes shorter then expected.

Pseudo code:

echo $key:$secret | base64

curl -u $key:$secret --verbose … | egrep -o 'NWd4UD.*'


This worked for me too, thanks!