Some apps authenticate, some don't and throws 401 NOT_AUTHORIZED


I have an app created last year, called X. Access level of X is Read-only.

I have an app created today, called Y. Access level of Y is Read and Write. (not sure if relevant)

What I’m trying to do is to retrieve a request_token from endpoint.

Twitter OAuth endpoint does redirection to Allow/Deny screen very well and works completely fine for X. On the other hand, I change consumer key & secret accordingly OAuth settings of Y.

Then, what happens is, Twitter returns an HTTP 401. My OAuth library (Play! framework OAuth lib, used by many people, very unlikely to be the root cause for the issue) says that “Authorization failed (server replied with a 401). This can happen if the consumer key was not correct or the signatures did not match.”

The point that I don’t get is why it is working for an app but not the other one. For debugging purposes, id numbers of apps are as follows: X=656570, Y=1414841. I really wonder why is that happening. Does anyone has an idea?



Tried consumer key/secret combination for Y on a working system (developed by someone else) which is written completely in a different language and thus a completely different OAuth client. Still gets HTTP 401 Unauthorized.

I have noticed that issued consumer_secret has one less character (43 in total) compared to all my (and friends’) other Twitter apps. Maybe that’s the reason, however issued OAuth consumer key/secret combination just does not get authorized.

Situation persists for newly created applications. None of new apps work except my old app with 44-chars consumer_secret.


Have you stepped outside of your library code and attempted the requests using something like curl that will not obfuscate the true error and HTTP headers you’re receiving? There may be more details than what’s being provided to you by your client. You can find an “OAuth Tool” tab on any of your application details pages on, which can help you formulate a request using curl on the command line to better see the true error being thrown.


As I told before, I already have tried generated keys on different apps coded on different languages and different oauth clients. I also have tried using oauth tool. It also didn’t work. I still claim that generated keys are somehow invalid. Again, I want to point out that my other app keys are working. Can you please view keys of apps I have described in first message and specified ids"


Why are you not investigating this? I still claim that I have tried this on different languages/libraries and my issued keys are just not working. I hereby allow you to see my consumer keys for those apps and test it yourself and confirm the issue.


Are you doing callback-based OAuth with both of these apps? One of the apps does not contain a placeholder callback URL, which will allow it to only be used by PIN-based OOB OAuth or xAUth – while the other application has a placeholder callback URL that allows it to do dynamic callback-based OAuth.

Are you examining the exact error message sent to you when using the non-functional application? It should say something to the effect that the operation you’re trying to do is forbidden by the key’s current configuration state.