"Unauthorized: Could not authenticate you" after v1.1 update for existing tokens


We are receiving an unauthorized error from the API for all calls to https://dev.twitter.com/docs/api/1.1/get/account/verify_credentials for existing auth tokens. When re-authenticating with oauth, new tokens work as expected. Obviously it is not ideal to have all of our previously valid existing user tokens be invalidated by the move to 1.1. The 1.1 release docs claim seamless token transfer. Are there any known caveats to this or common issues that the 1.1 jump would cause?


The tokens should move cleanly as there is no difference to the auth model whatsoever in API v1.1, aside form API v1.1 being stricter with the OAuth.

In this case where you able to get calls to /1/account/verify_credentials to function correctly with the same exact tokens as a failed request to /1.1/account/verify_credentials (the execution call path in our back end is different for these two methods).

Do you have an example of a user ID that exhibiting this trouble? Any chance you can capture HTTP response headers in such a failed challenge?


This spontaneously resolved itself after three days of failures.


I spoke too soon. Our application no longer attempts to make API calls for users after a few consecutive failures. We are still seeing this for all users who authenticated with the 1.0 API. One example is the user @PetiteXXS. Please let us know if there is any possible solution. Thanks.


We still haven’t found a resolution for this. Can we get a follow up on the example user?


This was a result of a bug in our oauth signatures under the new API. This has now been resolved. Thanks!




Hi Chris and Taylor,
I have the same issue. Many (not all) of my tokens are not working anymore with API 1.1. Here is an example. The following call works in 1.0 but not in 1.1. Am I missing something?
Thx for your help,


The response I get:
[url] => https://api.twitter.com/1.1/statuses/user_timeline.json?oauth_consumer_key=0kOc7S4AXi9iaNyzLEv0Rg&oauth_nonce=fe02e9f52263bb28d00c9864d636e6bf&oauth_signature=1jihu%2F4ed9Hb9%2Fu%2FvdfxFNON3QE%3D&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1355736120&oauth_token=308930278-VxGlaF40PGIIHY9iOr6qurCdZkIAhRHLOSsnfURu&oauth_version=1.0&screen_name=philippegabl1
[content_type] => application/json; charset=utf-8
[http_code] => 401
[header_size] => 146
[request_size] => 431
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0,862148
[namelookup_time] => 0,061396
[connect_time] => 0,252944
[pretransfer_time] => 0,661914
[size_upload] => 0
[size_download] => 61
[speed_download] => 70
[speed_upload] => 0
[download_content_length] => 61
[upload_content_length] => 0
[starttransfer_time] => 0,86154
[redirect_time] => 0
[certinfo] => Array

[redirect_url] => 


stdClass Object
[errors] => Array
[0] => stdClass Object
[message] => Invalid or expired token
[code] => 89




Are you able to execute account/verify_credentials using the same tokens in API v1 and v1.1? Perhaps the token really is invalidated, but v1’s “give you the benefit of the doubt and consider you unauthenticated” trick is just making you think it’s working with v1 when it’s not?

OAuth is also stricter in API v1.1. You’ll find yourself more likely to produce valid OAuth if you stick to header-based auth instead of querystring.


Thanks for your answer Taylor,
The call account/verify_credentials failed both in 1 and 1.1 (HTTP code 401). So it seems clear my token is broken. Now asking for a new token (through account/authorize) actually works fine, but it means asking my customers to do a full OAuth dance :frowning:

I also tried header based OAuth, it leads the same error
curl --get ‘https://api.twitter.com/1.1/application/rate_limit_status.json’ --header ‘Authorization: OAuth oauth_consumer_key=“0kOc7S4AXi9iaNyzLEv0Rg”, oauth_nonce=“be3d1969972b943b65d9b0fa7be5f3ea”, oauth_signature=“rXi5n63UDIQTR%2FUxMmSbfHSWaRA%3D”, oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1355520261”, oauth_token=“308930278-VxGlaF40PGIIHY9iOr6qurCdZkIAhRHLOSsnfURu”, oauth_version=“1.0”’ --verbose


You won’t necessarily need to ask all your customers to do that – unless they’ve somehow invalidated their access tokens as well. You should regularly use account/verify_credentials to verify that the tokens you’re working with atre still valid before making API calls with them.


You should regularly use account/verify_credentials to verify that the tokens you’re working with atre still valid before making API calls with them. so verify me and thanks


i have Twitter API 20 day before was working fine but now i am getting problem during the Authentication not passing token number etc. and i am getting this message.

Whoa there!

There is no request token for this page. That’s the special key we need from applications asking to use your Twitter account. Please go back to the site or application that sent you here and try again; it was probably just a mistake.

Go to Twitter.

please help me how to solve this


please help me if possible…


Hello @episod.

today we re dong some changes in code, we change the library and now we are getting authentication but after authentication , we are getting another error which is as below.

stdClass Object ( [errors] => Array ( [0] => stdClass Object ( [message] => Invalid or expired token [code] => 89 ) ) )

Can you please help me to solve this issue ?


Got the same issue Array ( [errors] => Array ( [0] => Array ( [message] => Invalid or expired token [code] => 89 ) ) )


bump… still no luck with this