Twitter returns "Could not authenticate you" to the VBScript, but a standalone cURL request works


I am writing a plugin in VBScript to fetch my home timeline, however I am encountering problems with authenticating via OAuth. The twitter server returns “Could not authenticate you” which would indicate that something is wrong with a token or a signature, however when I attempt a standalone cURL request on a Linux machien with the exact same token and signature I experience no authentication problems at all. cURL manages to fetch my home timeline without problems, VBScript on the other hand does not, which leads me to believe that something is wrong with the way I communicate with the twitter server in my script. Here is my VBScript code:

Function GetTimeline()
	Dim objXmlHttp, nError, sHttpRequest, sTimestamp
	Set objXmlHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
	sTimestamp = DateDiff("s", "1970/01/01 00:00:00", Now())
	objXmlHttp.Open "GET", "", False
	objXmlHttp.setRequestHeader "Authorization", "OAuth oauth_consumer_key=" & Chr(34) & "" & Chr(34) & ", oauth_nonce=" & Chr(34) & "" & Chr(34) & ", oauth_signature=" & Chr(34) & "" & Chr(34) & ", oauth_signature_method=" & Chr(34) & "HMAC-SHA1" & Chr(34) & ", oauth_timestamp=" & Chr(34) & sTimestamp & Chr(34) & ", oauth_token=" & Chr(34) & "" & Chr(34) & ", oauth_version=" & Chr(34) & "1.0" & Chr(34)
	objXmlHttp.send ""
	if objXmlHttp.status = 200 Then
		Response.Write objXmlHttp.responseText
		Response.Write "An error occurred: " & objXmlHttp.responseText
	End If
End Function

I have of course removed the consumer key, nonce, signature and token for obvious reasons. These are however identical in the script and the cURL request. What is wrong with the manner in which I communicate with the twitter server?


Have you tried matching the nonce, timestamp, keys, and method signature to create the exact same signature base string and signature in your own code given the same parameters? The best way to rule out any issues in your code is to get your code to deterministically reproduce a known successful request. Once you’ve squared that away, you can look to other things that may cause a request to go bad – an off clock, a HTTP library handling things a little differently, and so on.

What’s the response body and HTTP status line when you run into the error you’re hitting? You’ll find that the response body often contains hints on how to proceed.


The HTTP status code is 401, indicating that credentials were incorrect or missing, but they work perfectly in the standalone cURL request… how can that be?

The response body is {“errors”:[{“message”:“Could not authenticate you”,“code”:32}]}