verify_credentials returns Could not authenticate you


I can successfully get the request token and access token using the following two URLs.


But when I try to call verify_credentials, it responds with “Could not authenticate you”. I am using the following URL.


I use exactly the same function to create the signature string for verify_credentials as I use for request_token and access_token, so I doubt it could be my signature. I suspect the problem could be something to do with the fact that the first two calls are POST requests and the verify_credentials call is a GET request. Do I have to send any special headers for GET requests? The only header I am sending is the Authorization header. The verify_credentials request is not supposed to take any parameters.

Here is an example of my signed Authorization header:

Authorization: OAuth oauth_consumer_key=“CONSUMER_KEY”,
oauth_signature_method=“HMAC-SHA1”, oauth_timestamp=“1417442885”,

Response headers:

HTTP/1.1 401 Authorization Required
content-length: 63
content-type: application/json;charset=utf-8
date: Mon, 01 Dec 2014 13:29:31 UTC
server: tsa_b
set-cookie: XXXXXXXXXXXXXX;; Path=/; Expires=Wed, 30-Nov-2016 13:29:31 UTC
strict-transport-security: max-age=631138519
x-connection-hash: d539667cd22a94515094ebd22b36eec5

Response body:

{“errors”:[{“message”:“Could not authenticate you”,“code”:32}]}

There only other possibility I can think of is that the signature creation process is different for request_token and access_token than it is for other calls, but I can’t find anything in the documentation about that. Also, the call to access_token returns the correct oauth_token, which is the one I see when I use the signature generator. (There is a link to the signature generator at So I would assume that my signature creation process is correct or else I would not be able authorize successfully.


I had the same problem. I waste 1 day, read hundreds pages.
I have found solution.
When you are making signature, you need to sign not only with oauth_consumer_secret. You need to sign it with oauth_consumer_secret&oauth_token_secret, where oauth_token_secret is access_token_secret. For requests oauth/request_token and oauth/access_token it looks like oauth_consumer_secret& .

My code:

NSMutableString *parameterString = [NSMutableString stringWithString:@""];
[parameterString appendFormat:@"oauth_consumer_key=%@", [oauth_consumer_key urlencode]];
[parameterString appendFormat:@"&oauth_nonce=%@", [oauth_nonce urlencode]];
[parameterString appendFormat:@"&oauth_signature_method=%@", [oauth_signature_method urlencode]];
[parameterString appendFormat:@"&oauth_timestamp=%@", [oauth_timestamp urlencode]];
[parameterString appendFormat:@"&oauth_token=%@", [oauth_token urlencode]];
[parameterString appendFormat:@"&oauth_version=%@", [oauth_version urlencode]];

NSString *signatureBaseString = [NSString stringWithFormat:@"%@&%@&%@", httpMethod, [url urlencode], [parameterString urlencode]];
NSString *signingKey = [NSString stringWithFormat:@"%@&%@", [oauth_consumer_secret urlencode],[oauth_token_secret urlencode]];

NSString *oauth_signature = [self hmacsha1:signatureBaseString secret:signingKey]; // ready signature