Request Bearer token - 403 forbidden


I’ve been struggling for hours, don’t know how to continue.
I’m trying to use app-only authentication, however EVERY request for a token is returned as “403 Forbidden: The server understood the request, but is refusing to fulfill it.”

I have doubled checked everything is correct, following the Twitter guide to the letter, yet still I always receive a 403.

My request looks like the below, and is being sent to:

                type: 'POST',
                url: config[provider].auth_url,
                beforeSend: function (request) {
                    request.setRequestHeader("Authorization", "Basic " + encodedToken);
                    request.setRequestHeader("Content-Type", "application/x-www-form-urlencoded;charset=UTF-8");
                data: 'grant_type=client_credential',
                success: function (msg) {
                }, error: function(msg) {


I have checked the token, it definitely is a BASE64 encoded value of: api_key:api_secret

What is going wrong?


WTF, when I use to do exactly the same, it is working? But it is not working using jquery call above???

Even with plain old javascript it’s not working:

 var xmlhttp = new XMLHttpRequest();"POST", "", false);
        xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
        xmlhttp.setRequestHeader("Authorization", "Basic xxxxxx");


The problem you are hitting here is CORS. Client-side OAuth in Javascript is pretty difficult to deal with, and your best option would be to build the OAuth flow on your server side to proxy the call, rather than trying to do it from jquery in the browser.


Thanks. It is built in a Cordova / HTML5 app. So, there is no server side (yet).

I can’t use Application authentication I have concluded, because I forget I need to e.g. retweet. Will go for this approach:

Can move some things into the cloud, to e.g. keep api_secret secret, but first it has to work.


OK - looking at that example, it is still using v1 of the API which is no longer available, but let us know if it works with v1.1!