Securing a webhooks error 215



I am trying to secure a webhook for the account activity API. I keep getting bad authentication error 215.
This is what I am sending.
curl --request POST --url ‘’ --header ‘authorization: OAuth oauth_consumer_key=“consumer_key”, oauth_nonce=“NONCE”, oauth_signature=“GENERATED”, oauth_signature_method=“HMAC-SHA1”, oauth_token=“token”, oauth_version=“1.0”’

Not sure what I should be putting instead of NONCE or the oauth signature.



Have you looked into using the activity dashboard at all?

The dashboard allows you to just set up an endpoint in your app for Twitter to hit with a CRC token, and then test it out.

When I went to secure my webhook, I just set up a route for twitter to hit and then parsed the crc_token out with this (it’s written with node):

app.get('/webhook/twitter', (request, response) =>{
    let crc_token = request.query.crc_token

        let hash = security(crc_token, config.consumer_secret)
            response_token: 'sha256=' + hash
        response.send('Error: crc_token is missing from request')


*app* is an express server
*security* is a function that just hashes the crc_token and returns it base64 (I'll add that below)

My Security function:

const crypto = require('crypto')

 * Creates a HMAC SHA-256 hash created from the app TOKEN and
 * your app Consumer Secret.
 * @param  token  the token provided by the incoming GET request
 * @return string
module.exports = function(crc_token, consumer_secret) {
  hmac = crypto.createHmac('sha256', consumer_secret).update(crc_token).digest('base64')
  return hmac


I have the code but, how do I send the request from the dashboard?
I see nothing on


Sorry this took so long for my reply, Twitter JUST notified me -_-

Once you have registered some endpoints for callbacks, you just type in the URL for where you have set up your CRC handler (the code I posted above for instance is at {$MY_URL}/webhook/twitter)
(You can do it in your app details page on, it looks like this)

Now, I will say the dashboard didn’t work perfectly for me, but that same account activity dashboard repo has some CLI instructions that did work for me


I am having a hard time understanding how to send the CRC challenge.

I added the Callback URL to the app details.

My app is written on Ruby on Rails. Working with Amazon AWS and my website is on Heroku (I haven’t pushed anything to Heroku yet, instead pointed the callback URL to the AWS url).


Do you by chance have a repository written on Ruby?