It’s weird, because even though reverse auth is not supported anymore, for some reason I was the one that got that error message when badly authenticating in POST /oauth/access_token. I can’t tell you why does that happen, I simply don’t know, but my problem was simple: I had a typo in my code.
So if your situation is anything similar to mine, you should need to take a better look at your code. Remember you need to send the authentication header which is a little bit different from the authentication header you sent in POST /oauth/request_token. Now your tokens will be different and your signature will change (because of a new signing key).
Hope this helps!
