[twitter-dev] Re: xAuth problems

[Fernando Olivares]

Got it.

The signatureBaseString has to include the parameters, so after the
oauth version I was missing the x_auth_mode and the other 2
parameters.

Thanks for your help!

[twitter-dev] Re: xAuth problems

[Fernando Olivares]

Also, here's my signature string:

POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Faccess_token&oauth_consumer_key%3DjbEiZQ85zjOamkhVRTclnA
%26oauth_nonce%3DE23ADF41-F137-4E33-
BC51-00AEB7C95439%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1272598628%26oauth_version%3D1.0

Here's how it should look like according to (http://dev.twitter.com/
pages/auth)

 httpMethod + "&" +
  url_encode(  base_uri ) + "&" +
  sorted_query_params.each  { | k, v |
  url_encode ( k ) + "%3D" +
  url_encode ( v )
  }.join("%26")


POST&
https%3A%2F%2Fapi.twitter.com%2Foauth%2Faccess_token
&
oauth_consumer_key%3DEditedKey
%26
oauth_nonce%3DE23ADF41-F137-4E33-BC51-00AEB7C95439
%26
oauth_signature_method%3DHMAC-SHA1
%26
oauth_timestamp%3D1272598628
%26
oauth_version%3D1.0

I think it's ok, so it's probably my signing?
I'm signing with my consumer secret (URLEncoded) followed by an
ampersand (without encoding).

[twitter-dev] Re: Basic Auth Deprecation

[mcfnord]

I think I know the answer to this question (YES), but I wanna clarify:
Everywhere in the docs that I see curl followed by credentials,
if the topic includes REST, that's an API that I will not be using
curl for,
because curl doesn't use oauth, so it cannot authenticate.

i'll certainly know in 30 days if that's right. ;)

[twitter-dev] Re: xAuth problems

[Fernando Olivares]

I think I never sent my answer. If I did, please ignore this or I'll
delete it myself.

Anyway, here's a summary of what I'm doing.

- I am using HTTP headers and POST.
- I am a bit confused about SSL. If all I have to do to use SSL is use
https instead of http, then I'm good.

Here's my post Body:

HTTPBody:
x_auth_mode=client_auth&x_auth_username=olivaresf&x_auth_password=edited

For now, the password doesn't have any non-url safe characters. I'll
be sure to check encoding in case there needs to be.

Here's my HTTP Headers

HTTP Header Fields:{
Authorization = "OAuth realm=\"\", oauth_consumer_key=\"key\",
oauth_signature_method=\"HMAC-SHA1\", oauth_signature=
\"fXz8BNFXbesfsSSE5TKfAyNoRYg%3D\", oauth_timestamp=\"1272590525\",
oauth_nonce=\"CF34FD8C-ADF6-4A2E-BBE9-8650A8ACF96D\", oauth_version=
\"1.0\"";
"X-Twitter-Client" = "App";
"X-Twitter-Client-Url" = "http://theapp.com";;
"X-Twitter-Client-Version" = "0.1";
}

Also, here's the link I'm using: https://api.twitter.com/oauth/access_token

I have no idea what you meant by content-type. Maybe it's that?

Any idea where I went wrong? Anyway, thanks for the help.

[twitter-dev] Consumer Keys vs IP Address and Domain Name

[raj]

Does a consumer need new keys from twitter if the server ip address
changes, even for the same domain name?

I recently upgraded my server from my service provider. As a result
the ip address of my server changed, even though the domain name is
the same. Now Twitter is not servicing my applications' requests. Do I
need new consumer keys?

[twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

[Rahul]

Taylor,

I am presently using scribe java library for OAuth and as you said all
spec compliant libraries the signature base string will only contain
POST body parameter so does this one.

Also I will try to add the header 'Content-Type' to the library and
let you know how it goes.

Thanks,
Rahul



On Apr 29, 5:38 pm, Taylor Singletary 
wrote:
> Whether it matters before creating your signature or not depends entirely on
> the OAuth library you are using. In spec-compliant OAuth libraries, the
> signature base string will only contain POST body parameters when they are
> of the application/x-www-form-urlencoded type -- most OAuth libraries need a
> way to be instructed on the disposition of the content being passed as the
> POST body and a common way is to look at an abstract request object of some
> kind to determine the type of data being piped in rather than just trying to
> guess or simply assuming that POST bodies will always be of the URL-encoded
> type. There might be another way to instruct your library on the disposition
> of data, but it's likely it'll just assume all POST data provided is of the
> URL encoded variety. I don't think you have any issues with your code in
> this area today.
>
> But as a best practice when dealing with an HTTP-based API of any kind, you
> should be sending a Content-Type header whenever POSTing or PUTing any kind
> of payload. You don't pass a Content-Type header on a GET because there is
> no content being sent.
>
> It's likely that your OAuth library automatically sends the proper
> Content-Type header on the OAuth negotiation steps because those steps are
> required to use URL-encoded POST bodies by the spec.
>
> Taylor Singletary
> Developer Advocate, Twitterhttp://twitter.com/episodOn Thu, Apr 29, 2010 at 
> 2:20 PM, Rahul  wrote:
> > So what are trying to say is that i should explicitly add Content-type
> > header in the message going out and that too before creating the
> > signature?
>
> > Thanks,
> > Rahul
>
> > On Apr 29, 4:58 pm, Taylor Singletary 
> > wrote:
> > > Since you're sending a status, you should be setting a Content-Type
> > header
> > > to indicate the type of payload -- it's best never to assume that a HTTP
> > > server or a HTTP library will know how to understand a payload without
> > being
> > > explicitly told what kind of payload that is. The signature might be
> > > mis-calculating on the Twitter side due to not including your parameters
> > > when constructing it.
>
> > > Taylor Singletary
> > > Developer Advocate, Twitterhttp://twitter.com/episod
>
> > > On Thu, Apr 29, 2010 at 1:36 PM, Rahul  wrote:
> > > > Hello,
>
> > > > To answer your questions. The following is the body response i receive
> > > > back
>
> > > > 
> > > > 
> > > >  /1/statuses/update.xml
> > > >  Incorrect signature
> > > > 
>
> > > > Also, I am not setting any content type header at this point & I am
> > > > using "POST" only for token negotiation. and have not tried any get
> > > > restricted resource yet. I did try some but they seem to be public
> > > > timeline etc which seems to be working good.
>
> > > > Any help on this is highly appreciated.
>
> > > > Thanks,
> > > > Rahul
>
> > > > On Apr 29, 4:22 pm, Taylor Singletary 
> > > > wrote:
> > > > > Hi Rahul,
>
> > > > > I'm trying to think of other reasons. We might be throwing the
> > invalid
> > > > > signature error in a case where the signature is not in fact invalid.
>
> > > > > How about requests are not of the type POST? Have you had a GET
> > (other
> > > > than
> > > > > OAuth token negotiation steps) work for you? When you were doing the
> > > > token
> > > > > negotiation steps, were you using POSTs or GETs? When performing a
> > POST,
> > > > are
> > > > > you setting your HTTP Content-Type header to
> > > > > "application/x-www-form-urlencoded"?
>
> > > > > What's the exact response from the server? There's usually a payload
> > > > > included with the response that may give more clarity to the error.
> > We
> > > > have
> > > > > some upcoming enhancements to the OAuth implementation that will
> > return
> > > > to
> > > > > you the "signature base string we calculated" which would be useful
> > here
> > > > > now..
>
> > > > > Taylor Singletary
> > > > > Developer Advocate, Twitterhttp://twitter.com/episod
>
> > > > > On Thu, Apr 29, 2010 at 1:12 PM, Rahul 
> > wrote:
> > > > > > Taylor,
>
> > > > > > A quick update on this. I tried generating the signature from my
> > > > > > library and the page mentioned below they both seems tbe exactly
> > the
> > > > > > same.
>
> >http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signin.
> > > > ..
>
> > > > > > What else can be the reason and how come twitter is responding with
> > > > > > Incorrect Signature ?
>
> > > > > > Thanks,
> > > > > > Rahul
>
> > > > > > On Apr 29, 1:19 pm, Rahul  wrote:
> > > > > > > Taylor,
>
> > > > > > > Thanks for taking a look at it. and to answer your question yes I
> > do
> > > > > > > pass the status

[twitter-dev] Re: Duplicate Statuses in Public Timeline

[mattarnold1977]

John,

I am using the public timeline for analysis.  I haven't examined the
streaming API, but it sounds like that's what I need to use.  In the
mean time I guess I'll just have to ignore the duplicates.  Thank you
for the response.

-Matt

On Apr 29, 9:47 am, John Kalucki  wrote:
> What is your goal for this application?
>
> Are you trying to get a sampling of statuses for analysis, or for
> occasional casual display? If the former, you should use a sample
> method on the Streaming API. If the later, please persist in your
> quest for a reasonably unique result set. The public timeline isn't
> used much anymore and regressions could theoretically and regrettably,
> exist for a bit without anyone noticing.
>
> -John Kaluckihttp://twitter.com/jkalucki
> Infrastructure, Twitter Inc.
>
> On Thu, Apr 29, 2010 at 4:54 AM, mattarnold1977
>
>
>
>  wrote:
> > This is the third time I've reported this issue in the last couple of
> > weeks.  I still have not received any word back from Twitter support
> > regarding this issue.  My server log is filling up with duplicate
> > status errors coming from the public timeline.  I'm waiting to hit the
> > timeline until after the cache period, so it's not that.  And, yes
> > it's not just duplicate status ids I'm seeing, it's also duplicate
> > statuses as well.  Every time I hit the public timeline I compare the
> > results against a months worth of data that I have saved.  Is anyone
> > else having this issue?
>
> > -Matt

[twitter-dev] Re: About update limits

[Dewald Pretorius]

I can't think of a use or requirement that would need more than 1,000
tweets per day.

Unless you're promoting teeth whitening affiliate links that
absolutely must be sent at a rate of one tweet every 30 seconds,
because we all know how quickly the teeth of some followers turn
yellow.

On Apr 29, 8:45 pm, Brian Sutorius  wrote:
> To clarify, statuses/update is not affected by rate-limit whitelisting
> as it's a POST call and we don't maintain a separate whitelist for
> boosting the daily tweet limit above 1000. While we do not give out
> the specifics around the "sub-limits," they *are* administered on a
> per-account basis and if you stay around your approximation of 20
> tweets per half-hour you should be fine.
>
> Brian Sutorius
>
> On Apr 29, 6:07 am, Raffi Krikorian  wrote:
>
>
>
> > the numbers are roughly broken up over the day.  and the limit applies to an
> > account.
>
> > and yes - there is a whitelisting for status/updates -- please e-mail
> > a...@twitter to ask for it.
>
> > On Thu, Apr 29, 2010 at 5:26 AM, akaii  wrote:
> > > This is what the FAQ has to say about status update limits:
>
> > > Updates: 1,000 per day. The daily update limit is further broken down
> > > into smaller limits for semi-hourly intervals. Retweets are counted as
> > > updates.
>
> > > I'm a little unclear as to what exactly is meant by "further broken
> > > down into smaller limits for semi-hourly intervals". Is the 1000 per
> > > day limit divided evenly between the 48 half hours each day (around 20
> > > or so tweets per half an hour?).
>
> > > Also, I'm assuming this limit applies to each unique account?
>
> > > Is this limit absolutely fixed? Or is there some equivalent to
> > > "whitelisting" for status/update limits as well?
>
> > > Thanks...
>
> > --
> > Raffi Krikorian
> > Twitter Platform Teamhttp://twitter.com/raffi

[twitter-dev] How is the limit of 1500 search results calculated?

[Adam Green]

The docs on both the apiwiki and dev.twitter sites say that the search
API is limited to 1,500 results through the combination of the rpp and
page arguments. There are no details on the time frame for this
search, or whether this applies to a single query string. Since you
can only get that many results through multiple calls to the search
API, this limit is confusing.

Is it 1,500 results for a single q=value argument or multiple q=value
arguments?

Is this within a single hour, which seems to be a common time frame
for rate limiting?

I'll be putting the answer to this in an online tutorial and a book
I'm writing, so the answer will be available beyond just this list.

Thanks for any details.

[twitter-dev] Is there small size follow button?

[paloalto]

Follow button in @anywhere api is too large.
Is there a way to choose a smaller size?

[twitter-dev] Re: About update limits

[Brian Sutorius]

To clarify, statuses/update is not affected by rate-limit whitelisting
as it's a POST call and we don't maintain a separate whitelist for
boosting the daily tweet limit above 1000. While we do not give out
the specifics around the "sub-limits," they *are* administered on a
per-account basis and if you stay around your approximation of 20
tweets per half-hour you should be fine.

Brian Sutorius

On Apr 29, 6:07 am, Raffi Krikorian  wrote:
> the numbers are roughly broken up over the day.  and the limit applies to an
> account.
>
> and yes - there is a whitelisting for status/updates -- please e-mail
> a...@twitter to ask for it.
>
>
>
>
>
> On Thu, Apr 29, 2010 at 5:26 AM, akaii  wrote:
> > This is what the FAQ has to say about status update limits:
>
> > Updates: 1,000 per day. The daily update limit is further broken down
> > into smaller limits for semi-hourly intervals. Retweets are counted as
> > updates.
>
> > I'm a little unclear as to what exactly is meant by "further broken
> > down into smaller limits for semi-hourly intervals". Is the 1000 per
> > day limit divided evenly between the 48 half hours each day (around 20
> > or so tweets per half an hour?).
>
> > Also, I'm assuming this limit applies to each unique account?
>
> > Is this limit absolutely fixed? Or is there some equivalent to
> > "whitelisting" for status/update limits as well?
>
> > Thanks...
>
> --
> Raffi Krikorian
> Twitter Platform Teamhttp://twitter.com/raffi

[twitter-dev] Fix for handling invalid credentials deployed

[Mark McBride]

Until recently, setting bad credentials when making a call to an
unauthenticated endpoint would result in a 200 (and the response
body).  However repeated calls with bad credentials would lock out the
account.  We recently started returning an error message indicating
the account was locked out.  Today we're fixing this the rest of the
way, and returning a 401 for any calls that have bad credentials
passed in.  If you start seeing increased 401s on unauthenticated
endpoints it's likely that your credentials have always been invalid,
we're just letting you know now.

   ---Mark

http://twitter.com/mccv

[twitter-dev] An odd scenario I can't solve

[Matt McGee]

Hi everyone. Hope you'll be kind to a non-programmer here. :-) I think
I have an unusual circumstance involving the use of @anywhere on my
web site.

The site in question is called @U2. Yep, been using the @ symbol on
our site since 1998 and it's all over the place. The specific problem
I'm having can be seen on this page:

http://www.atu2.com/news/larry-mullen-stars-in-canadian-movie.html

I'm using the hovercards and you can see the author's name correctly
brings up her hovercard for @tassoula. I'm calling the javascript to
only show hovercards in this main content window, so that the headings
on the right (@U2 Blog Posts, @U2 Calendar, etc.) won't be linked.

But ... as you can see in the first sentence of the article, the
mention of our site name is also linked to a hovercard for @U2.
There's no Twitter account in that name. (The band should own it but
doesn't.)

Is there any way to solve for this? Thanks in advance.

Matt

Re: [twitter-dev] xAuth problems

[Taylor Singletary]

Hi Fernando,

Happy to help you out.

Common issues when trying to get xAuth to work:
  - You must be using HTTP headers for the OAuth Authorization
  - You must be using POST as your method
  - You must be using SSL
  - Your POST body must contain the x_auth_* parameters as standard
application/x-www-form-urlencoded parameters
  - Your Content-Type should be set to "application/x-www-form-urlencoded"
  - If the logins or passwords you are sending have non-url-safe characters,
they should be URL encoded in your POST body and encoded again in your
signature base string (just like any OAuth request)

If you post an example signature base string with your username and
passwords redacted, along with a redacted POST body, and the exact URL you
are hitting we can help you further.

Thanks!

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Thu, Apr 29, 2010 at 2:51 PM, Fernando Olivares wrote:

> Hello everyone,
>
> I'm having constant 401 errors when trying xAuth. My application has
> already been accepted and its permissions granted and refreshed.
>
> Any ideas what the problem is?
>

Re: [twitter-dev] xAuth problems

[Cameron Kaiser]

> I'm having constant 401 errors when trying xAuth. My application has
> already been accepted and its permissions granted and refreshed.
> Any ideas what the problem is?

Post your sig base, if you have it. xAuth is working fine over here.
What are you using to do your oAuth signatures?

-- 
 personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- If you have integrity, nothing else matters. -- Alan Simpson ---

[twitter-dev] xAuth problems

[Fernando Olivares]

Hello everyone,

I'm having constant 401 errors when trying xAuth. My application has
already been accepted and its permissions granted and refreshed.

Any ideas what the problem is?

[twitter-dev] Re: API call to turn on location-based tweets?

[Ken]

just what we needed! thanks

On Apr 29, 11:23 pm, Abraham Williams <4bra...@gmail.com> wrote:
> https://twitter.com/account/geo
>
> On Thu, Apr 29, 2010 at 14:17, Ken  wrote:
>
> > > there
> > > is also a mobile optimized page with just that checkbox on twitter.comthat
> > > you could use too.
>
> > could be useful.. what's the URL?
>
> > thanks
>
> > Ken
>
> --
> Abraham Williams | Developer for hire |http://abrah.am
> @abraham |http://projects.abrah.am|http://blog.abrah.am
> This email is: [ ] shareable [x] ask first [ ] private.

Re: [twitter-dev] twitter oauth

[Lil Peck]

For those of us who use simple Classic ASP scripts and Xhttp to
autmatically update statuses for our websites (my site automatically
updates its twitter status whenever someone posts a new ad), or for
those who use PHP curl for similar things, why not bypass Oauth
altogether, and instead of deprecating basic authentication
altogether, make a few minor changes to it for our needs?

Have us go ahead and register our app with twitter, or the URL which
bears the code to send the twitter update.
Have twitter issue a key and secret for that url.
Have twitter check to make sure the url sending an update is a
registered app and that it has the correct key and secret
.
If/when 2 legged oauth is activated, will it work that way?

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

[Taylor Singletary]

Whether it matters before creating your signature or not depends entirely on
the OAuth library you are using. In spec-compliant OAuth libraries, the
signature base string will only contain POST body parameters when they are
of the application/x-www-form-urlencoded type -- most OAuth libraries need a
way to be instructed on the disposition of the content being passed as the
POST body and a common way is to look at an abstract request object of some
kind to determine the type of data being piped in rather than just trying to
guess or simply assuming that POST bodies will always be of the URL-encoded
type. There might be another way to instruct your library on the disposition
of data, but it's likely it'll just assume all POST data provided is of the
URL encoded variety. I don't think you have any issues with your code in
this area today.

But as a best practice when dealing with an HTTP-based API of any kind, you
should be sending a Content-Type header whenever POSTing or PUTing any kind
of payload. You don't pass a Content-Type header on a GET because there is
no content being sent.

It's likely that your OAuth library automatically sends the proper
Content-Type header on the OAuth negotiation steps because those steps are
required to use URL-encoded POST bodies by the spec.

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Thu, Apr 29, 2010 at 2:20 PM, Rahul  wrote:

> So what are trying to say is that i should explicitly add Content-type
> header in the message going out and that too before creating the
> signature?
>
> Thanks,
> Rahul
>
> On Apr 29, 4:58 pm, Taylor Singletary 
> wrote:
> > Since you're sending a status, you should be setting a Content-Type
> header
> > to indicate the type of payload -- it's best never to assume that a HTTP
> > server or a HTTP library will know how to understand a payload without
> being
> > explicitly told what kind of payload that is. The signature might be
> > mis-calculating on the Twitter side due to not including your parameters
> > when constructing it.
> >
> > Taylor Singletary
> > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> >
> >
> > On Thu, Apr 29, 2010 at 1:36 PM, Rahul  wrote:
> > > Hello,
> >
> > > To answer your questions. The following is the body response i receive
> > > back
> >
> > > 
> > > 
> > >  /1/statuses/update.xml
> > >  Incorrect signature
> > > 
> >
> > > Also, I am not setting any content type header at this point & I am
> > > using "POST" only for token negotiation. and have not tried any get
> > > restricted resource yet. I did try some but they seem to be public
> > > timeline etc which seems to be working good.
> >
> > > Any help on this is highly appreciated.
> >
> > > Thanks,
> > > Rahul
> >
> > > On Apr 29, 4:22 pm, Taylor Singletary 
> > > wrote:
> > > > Hi Rahul,
> >
> > > > I'm trying to think of other reasons. We might be throwing the
> invalid
> > > > signature error in a case where the signature is not in fact invalid.
> >
> > > > How about requests are not of the type POST? Have you had a GET
> (other
> > > than
> > > > OAuth token negotiation steps) work for you? When you were doing the
> > > token
> > > > negotiation steps, were you using POSTs or GETs? When performing a
> POST,
> > > are
> > > > you setting your HTTP Content-Type header to
> > > > "application/x-www-form-urlencoded"?
> >
> > > > What's the exact response from the server? There's usually a payload
> > > > included with the response that may give more clarity to the error.
> We
> > > have
> > > > some upcoming enhancements to the OAuth implementation that will
> return
> > > to
> > > > you the "signature base string we calculated" which would be useful
> here
> > > > now..
> >
> > > > Taylor Singletary
> > > > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > > > On Thu, Apr 29, 2010 at 1:12 PM, Rahul 
> wrote:
> > > > > Taylor,
> >
> > > > > A quick update on this. I tried generating the signature from my
> > > > > library and the page mentioned below they both seems tbe exactly
> the
> > > > > same.
> >
> > > > >
> http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signin.
> > > ..
> >
> > > > > What else can be the reason and how come twitter is responding with
> > > > > Incorrect Signature ?
> >
> > > > > Thanks,
> > > > > Rahul
> >
> > > > > On Apr 29, 1:19 pm, Rahul  wrote:
> > > > > > Taylor,
> >
> > > > > > Thanks for taking a look at it. and to answer your question yes I
> do
> > > > > > pass the status in the signature basetring.
> >
> > > > > > Also below is my string which i pass to the below mentioned
> toSign
> > > > > > variable.
> >
> > > > > > toSign:
> > > > > > POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > > > > > %2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
> > > > > >
> %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> > > > > > SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> > > > > > xxx%26oa

Re: [twitter-dev] Re: API call to turn on location-based tweets?

[Abraham Williams]

https://twitter.com/account/geo

On Thu, Apr 29, 2010 at 14:17, Ken  wrote:

>
> > there
> > is also a mobile optimized page with just that checkbox on twitter.comthat
> > you could use too.
> >
>
> could be useful.. what's the URL?
>
> thanks
>
> Ken
>



-- 
Abraham Williams | Developer for hire | http://abrah.am
@abraham | http://projects.abrah.am | http://blog.abrah.am
This email is: [ ] shareable [x] ask first [ ] private.

[twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

[Rahul]

So what are trying to say is that i should explicitly add Content-type
header in the message going out and that too before creating the
signature?

Thanks,
Rahul

On Apr 29, 4:58 pm, Taylor Singletary 
wrote:
> Since you're sending a status, you should be setting a Content-Type header
> to indicate the type of payload -- it's best never to assume that a HTTP
> server or a HTTP library will know how to understand a payload without being
> explicitly told what kind of payload that is. The signature might be
> mis-calculating on the Twitter side due to not including your parameters
> when constructing it.
>
> Taylor Singletary
> Developer Advocate, Twitterhttp://twitter.com/episod
>
>
>
> On Thu, Apr 29, 2010 at 1:36 PM, Rahul  wrote:
> > Hello,
>
> > To answer your questions. The following is the body response i receive
> > back
>
> > 
> > 
> >  /1/statuses/update.xml
> >  Incorrect signature
> > 
>
> > Also, I am not setting any content type header at this point & I am
> > using "POST" only for token negotiation. and have not tried any get
> > restricted resource yet. I did try some but they seem to be public
> > timeline etc which seems to be working good.
>
> > Any help on this is highly appreciated.
>
> > Thanks,
> > Rahul
>
> > On Apr 29, 4:22 pm, Taylor Singletary 
> > wrote:
> > > Hi Rahul,
>
> > > I'm trying to think of other reasons. We might be throwing the invalid
> > > signature error in a case where the signature is not in fact invalid.
>
> > > How about requests are not of the type POST? Have you had a GET (other
> > than
> > > OAuth token negotiation steps) work for you? When you were doing the
> > token
> > > negotiation steps, were you using POSTs or GETs? When performing a POST,
> > are
> > > you setting your HTTP Content-Type header to
> > > "application/x-www-form-urlencoded"?
>
> > > What's the exact response from the server? There's usually a payload
> > > included with the response that may give more clarity to the error. We
> > have
> > > some upcoming enhancements to the OAuth implementation that will return
> > to
> > > you the "signature base string we calculated" which would be useful here
> > > now..
>
> > > Taylor Singletary
> > > Developer Advocate, Twitterhttp://twitter.com/episod
>
> > > On Thu, Apr 29, 2010 at 1:12 PM, Rahul  wrote:
> > > > Taylor,
>
> > > > A quick update on this. I tried generating the signature from my
> > > > library and the page mentioned below they both seems tbe exactly the
> > > > same.
>
> > > >http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signin.
> > ..
>
> > > > What else can be the reason and how come twitter is responding with
> > > > Incorrect Signature ?
>
> > > > Thanks,
> > > > Rahul
>
> > > > On Apr 29, 1:19 pm, Rahul  wrote:
> > > > > Taylor,
>
> > > > > Thanks for taking a look at it. and to answer your question yes I do
> > > > > pass the status in the signature basetring.
>
> > > > > Also below is my string which i pass to the below mentioned toSign
> > > > > variable.
>
> > > > > toSign:
> > > > > POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > > > > %2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
> > > > > %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> > > > > SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> > > > > xxx%26oauth_version%3D1.0%26status
> > > > > %3Dhurray
>
> > > > >     Mac mac = Mac.getInstance(HMAC_SHA1);
> > > > >     mac.init(key);
> > > > >     byte[] bytes = mac.doFinal(toSign.getBytes(UTF8));
>
> > > > > and in the key i pass: consumerSecret + '&' + tokenSecret
>
> > > > > Thanks,
> > > > > Rahul
>
> > > > > On Apr 29, 12:46 pm, Taylor Singletary 
> > > > > wrote:
>
> > > > > > Hi Rahul,
>
> > > > > > When you are POSTing to statuses/update.xml -- are you including
> > the
> > > > status
> > > > > > that you are posting in your signature base string? As a
> > URL-encoded
> > > > > > parameter, it should be included in both your POST body and the
> > > > signature
> > > > > > base string (but not in the HTTP authorization header).
>
> > > > > > Taylor Singletary
> > > > > > Developer Advocate, Twitterhttp://twitter.com/episod
>
> > > > > > On Thu, Apr 29, 2010 at 9:35 AM, Rahul 
> > wrote:
> > > > > > > Folks,
>
> > > > > > > I have been trying this and have already spent lot of time on
> > this
> > > > but
> > > > > > > what i don't understand is how is getting the access token
> > working
> > > > and
> > > > > > > post to update is not working when i am using the same signature
> > > > > > > generation method for both the requests.
>
> > > > > > > Here is my complete scenario.
> > > > > > > 1. fetch the request token
> > > > > > > 2. redirect the user to the authurize page
> > > > > > > 3. get the verifier from the new called back url
> > > > > > > 4. getting the access token by passing oauth_token and
> > auth_verifier
> > > > > > > 5. create a new post request for update and sign the request with
> > >

[twitter-dev] Re: API call to turn on location-based tweets?

[Ken]

> there
> is also a mobile optimized page with just that checkbox on twitter.com that
> you could use too.
>

could be useful.. what's the URL?

thanks

Ken

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

[Taylor Singletary]

Since you're sending a status, you should be setting a Content-Type header
to indicate the type of payload -- it's best never to assume that a HTTP
server or a HTTP library will know how to understand a payload without being
explicitly told what kind of payload that is. The signature might be
mis-calculating on the Twitter side due to not including your parameters
when constructing it.

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Thu, Apr 29, 2010 at 1:36 PM, Rahul  wrote:

> Hello,
>
> To answer your questions. The following is the body response i receive
> back
>
> 
> 
>  /1/statuses/update.xml
>  Incorrect signature
> 
>
> Also, I am not setting any content type header at this point & I am
> using "POST" only for token negotiation. and have not tried any get
> restricted resource yet. I did try some but they seem to be public
> timeline etc which seems to be working good.
>
> Any help on this is highly appreciated.
>
> Thanks,
> Rahul
>
> On Apr 29, 4:22 pm, Taylor Singletary 
> wrote:
> > Hi Rahul,
> >
> > I'm trying to think of other reasons. We might be throwing the invalid
> > signature error in a case where the signature is not in fact invalid.
> >
> > How about requests are not of the type POST? Have you had a GET (other
> than
> > OAuth token negotiation steps) work for you? When you were doing the
> token
> > negotiation steps, were you using POSTs or GETs? When performing a POST,
> are
> > you setting your HTTP Content-Type header to
> > "application/x-www-form-urlencoded"?
> >
> > What's the exact response from the server? There's usually a payload
> > included with the response that may give more clarity to the error. We
> have
> > some upcoming enhancements to the OAuth implementation that will return
> to
> > you the "signature base string we calculated" which would be useful here
> > now..
> >
> > Taylor Singletary
> > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> >
> >
> > On Thu, Apr 29, 2010 at 1:12 PM, Rahul  wrote:
> > > Taylor,
> >
> > > A quick update on this. I tried generating the signature from my
> > > library and the page mentioned below they both seems tbe exactly the
> > > same.
> >
> > >http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signin.
> ..
> >
> > > What else can be the reason and how come twitter is responding with
> > > Incorrect Signature ?
> >
> > > Thanks,
> > > Rahul
> >
> > > On Apr 29, 1:19 pm, Rahul  wrote:
> > > > Taylor,
> >
> > > > Thanks for taking a look at it. and to answer your question yes I do
> > > > pass the status in the signature basetring.
> >
> > > > Also below is my string which i pass to the below mentioned toSign
> > > > variable.
> >
> > > > toSign:
> > > > POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > > > %2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
> > > > %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> > > > SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> > > > xxx%26oauth_version%3D1.0%26status
> > > > %3Dhurray
> >
> > > > Mac mac = Mac.getInstance(HMAC_SHA1);
> > > > mac.init(key);
> > > > byte[] bytes = mac.doFinal(toSign.getBytes(UTF8));
> >
> > > > and in the key i pass: consumerSecret + '&' + tokenSecret
> >
> > > > Thanks,
> > > > Rahul
> >
> > > > On Apr 29, 12:46 pm, Taylor Singletary  >
> > > > wrote:
> >
> > > > > Hi Rahul,
> >
> > > > > When you are POSTing to statuses/update.xml -- are you including
> the
> > > status
> > > > > that you are posting in your signature base string? As a
> URL-encoded
> > > > > parameter, it should be included in both your POST body and the
> > > signature
> > > > > base string (but not in the HTTP authorization header).
> >
> > > > > Taylor Singletary
> > > > > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > > > > On Thu, Apr 29, 2010 at 9:35 AM, Rahul 
> wrote:
> > > > > > Folks,
> >
> > > > > > I have been trying this and have already spent lot of time on
> this
> > > but
> > > > > > what i don't understand is how is getting the access token
> working
> > > and
> > > > > > post to update is not working when i am using the same signature
> > > > > > generation method for both the requests.
> >
> > > > > > Here is my complete scenario.
> > > > > > 1. fetch the request token
> > > > > > 2. redirect the user to the authurize page
> > > > > > 3. get the verifier from the new called back url
> > > > > > 4. getting the access token by passing oauth_token and
> auth_verifier
> > > > > > 5. create a new post request for update and sign the request with
> > > > > > HMAC.sign(toSign, consumerSecret + '&' + tokenSecret)
> > > > > >   Note: toSign is the request with the following headers :
> > > > > > oauth_timestamp, oauth_signature_method, oauth_version,
> oauth_nonce,
> > > > > > oauth_consumer_key
> > > > > > 6. Send the request.
> >
> > > > > > Also if helpfull, i am using following values
> > > > > > oauth_nonce=MD5.h

Re: [twitter-dev] API call to turn on location-based tweets?

[Raffi Krikorian]

unfortunately, no.  you could send the user to the settings page, and there
is also a mobile optimized page with just that checkbox on twitter.com that
you could use too.

On Thu, Apr 29, 2010 at 11:56 AM, sabernar  wrote:

> Is there an API call where I can turn on an auth'd user's location
> setting?  I'm referring to the setting "Add a location to your
> tweets".  In my app, I want to give the users a choice on whether they
> can attach their location to their tweet, but it only works if the
> user has that setting in the profile checked.  Since it's an opt-in,
> not many people have that setting on.  Is there a way I can activate
> that setting for the user if they so choose?
>
> Thanks,
>
> S
>



-- 
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi

[twitter-dev] Re: Avatar change - JSON issue

[howard]

This seems to be a good thread to ask about a roadmap issue about
avatar handling, because it brings up the issue of timeline accuracy
with respect to the avatar.

If you use a mobile user agent to view twitter (I used iPhone 3.0) you
will see an interesting layout difference with respect to avatars.
Each tweet on a single user's page has its own copy of the avatar
place to the left of the tweet. http://mobile.twitter.com/twitter for
example.

There have been many occasions (and these use cases will only increase
over time) in which the avatar was changed and is referenced in the
tweet itself. The green overlay meme for iranelection was such a time.
Another was when @whitehouse, in the run-up to the health care reform
bill, changed their avatar every day (with a number in a blue field)
to refer to an issue that they wanted to highlight.

http://www.flickr.com/photos/como8/4471337214/sizes/o/in/set-72157623597762275/

This contextual history is currently lost forever.

How cool would it have been to see this tweet (@jack s first ever
tweet: http://twitter.com/jack/status/29 ) with the historically
accurate avatar instead of his current one??

Hey twitter guys, does this sound like something you'd like to build
into the platform?

-H

On Apr 27, 2:06 pm, Edi  wrote:
> Thank you. That's all I needed to know :)
>
> On Apr 26, 7:41 pm, Mark McBride  wrote:
>
> > It's in the bug tracker, and on my list of stuff to look at.  Caching
> > in general is a high priority issue at the moment.
>
> >    ---Mark
>
> >http://twitter.com/mccv
>
> --
> Subscription 
> settings:http://groups.google.com/group/twitter-development-talk/subscribe?hl=en

[twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

[Rahul]

Hello,

To answer your questions. The following is the body response i receive
back



  /1/statuses/update.xml
  Incorrect signature


Also, I am not setting any content type header at this point & I am
using "POST" only for token negotiation. and have not tried any get
restricted resource yet. I did try some but they seem to be public
timeline etc which seems to be working good.

Any help on this is highly appreciated.

Thanks,
Rahul

On Apr 29, 4:22 pm, Taylor Singletary 
wrote:
> Hi Rahul,
>
> I'm trying to think of other reasons. We might be throwing the invalid
> signature error in a case where the signature is not in fact invalid.
>
> How about requests are not of the type POST? Have you had a GET (other than
> OAuth token negotiation steps) work for you? When you were doing the token
> negotiation steps, were you using POSTs or GETs? When performing a POST, are
> you setting your HTTP Content-Type header to
> "application/x-www-form-urlencoded"?
>
> What's the exact response from the server? There's usually a payload
> included with the response that may give more clarity to the error. We have
> some upcoming enhancements to the OAuth implementation that will return to
> you the "signature base string we calculated" which would be useful here
> now..
>
> Taylor Singletary
> Developer Advocate, Twitterhttp://twitter.com/episod
>
>
>
> On Thu, Apr 29, 2010 at 1:12 PM, Rahul  wrote:
> > Taylor,
>
> > A quick update on this. I tried generating the signature from my
> > library and the page mentioned below they both seems tbe exactly the
> > same.
>
> >http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signin...
>
> > What else can be the reason and how come twitter is responding with
> > Incorrect Signature ?
>
> > Thanks,
> > Rahul
>
> > On Apr 29, 1:19 pm, Rahul  wrote:
> > > Taylor,
>
> > > Thanks for taking a look at it. and to answer your question yes I do
> > > pass the status in the signature basetring.
>
> > > Also below is my string which i pass to the below mentioned toSign
> > > variable.
>
> > > toSign:
> > > POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > > %2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
> > > %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> > > SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> > > xxx%26oauth_version%3D1.0%26status
> > > %3Dhurray
>
> > >     Mac mac = Mac.getInstance(HMAC_SHA1);
> > >     mac.init(key);
> > >     byte[] bytes = mac.doFinal(toSign.getBytes(UTF8));
>
> > > and in the key i pass: consumerSecret + '&' + tokenSecret
>
> > > Thanks,
> > > Rahul
>
> > > On Apr 29, 12:46 pm, Taylor Singletary 
> > > wrote:
>
> > > > Hi Rahul,
>
> > > > When you are POSTing to statuses/update.xml -- are you including the
> > status
> > > > that you are posting in your signature base string? As a URL-encoded
> > > > parameter, it should be included in both your POST body and the
> > signature
> > > > base string (but not in the HTTP authorization header).
>
> > > > Taylor Singletary
> > > > Developer Advocate, Twitterhttp://twitter.com/episod
>
> > > > On Thu, Apr 29, 2010 at 9:35 AM, Rahul  wrote:
> > > > > Folks,
>
> > > > > I have been trying this and have already spent lot of time on this
> > but
> > > > > what i don't understand is how is getting the access token working
> > and
> > > > > post to update is not working when i am using the same signature
> > > > > generation method for both the requests.
>
> > > > > Here is my complete scenario.
> > > > > 1. fetch the request token
> > > > > 2. redirect the user to the authurize page
> > > > > 3. get the verifier from the new called back url
> > > > > 4. getting the access token by passing oauth_token and auth_verifier
> > > > > 5. create a new post request for update and sign the request with
> > > > > HMAC.sign(toSign, consumerSecret + '&' + tokenSecret)
> > > > >   Note: toSign is the request with the following headers :
> > > > > oauth_timestamp, oauth_signature_method, oauth_version, oauth_nonce,
> > > > > oauth_consumer_key
> > > > > 6. Send the request.
>
> > > > > Also if helpfull, i am using following values
> > > > > oauth_nonce=MD5.hexHash(getTimestampInSeconds())
> > > > > oauth_signature_method=HMAC-SHA1
> > > > > oauth_version=1.0
>
> > > > > I have verified most of the things and looks good to me, also there
> > is
> > > > > very less possibility of generating wrong signature as I have used
> > the
> > > > > same signature to get the access token and was able to successfully
> > > > > receive it.
>
> > > > > Any pointers highly appreciated.
>
> > > > > Thanks,
> > > > > Rahul

Re: [twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

[Taylor Singletary]

Hi Rahul,

I'm trying to think of other reasons. We might be throwing the invalid
signature error in a case where the signature is not in fact invalid.

How about requests are not of the type POST? Have you had a GET (other than
OAuth token negotiation steps) work for you? When you were doing the token
negotiation steps, were you using POSTs or GETs? When performing a POST, are
you setting your HTTP Content-Type header to
"application/x-www-form-urlencoded"?

What's the exact response from the server? There's usually a payload
included with the response that may give more clarity to the error. We have
some upcoming enhancements to the OAuth implementation that will return to
you the "signature base string we calculated" which would be useful here
now..


Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Thu, Apr 29, 2010 at 1:12 PM, Rahul  wrote:

> Taylor,
>
> A quick update on this. I tried generating the signature from my
> library and the page mentioned below they both seems tbe exactly the
> same.
>
>
> http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/
>
> What else can be the reason and how come twitter is responding with
> Incorrect Signature ?
>
> Thanks,
> Rahul
>
> On Apr 29, 1:19 pm, Rahul  wrote:
> > Taylor,
> >
> > Thanks for taking a look at it. and to answer your question yes I do
> > pass the status in the signature basetring.
> >
> > Also below is my string which i pass to the below mentioned toSign
> > variable.
> >
> > toSign:
> > POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> > %2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
> > %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> > SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> > xxx%26oauth_version%3D1.0%26status
> > %3Dhurray
> >
> > Mac mac = Mac.getInstance(HMAC_SHA1);
> > mac.init(key);
> > byte[] bytes = mac.doFinal(toSign.getBytes(UTF8));
> >
> > and in the key i pass: consumerSecret + '&' + tokenSecret
> >
> > Thanks,
> > Rahul
> >
> > On Apr 29, 12:46 pm, Taylor Singletary 
> > wrote:
> >
> >
> >
> > > Hi Rahul,
> >
> > > When you are POSTing to statuses/update.xml -- are you including the
> status
> > > that you are posting in your signature base string? As a URL-encoded
> > > parameter, it should be included in both your POST body and the
> signature
> > > base string (but not in the HTTP authorization header).
> >
> > > Taylor Singletary
> > > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > > On Thu, Apr 29, 2010 at 9:35 AM, Rahul  wrote:
> > > > Folks,
> >
> > > > I have been trying this and have already spent lot of time on this
> but
> > > > what i don't understand is how is getting the access token working
> and
> > > > post to update is not working when i am using the same signature
> > > > generation method for both the requests.
> >
> > > > Here is my complete scenario.
> > > > 1. fetch the request token
> > > > 2. redirect the user to the authurize page
> > > > 3. get the verifier from the new called back url
> > > > 4. getting the access token by passing oauth_token and auth_verifier
> > > > 5. create a new post request for update and sign the request with
> > > > HMAC.sign(toSign, consumerSecret + '&' + tokenSecret)
> > > >   Note: toSign is the request with the following headers :
> > > > oauth_timestamp, oauth_signature_method, oauth_version, oauth_nonce,
> > > > oauth_consumer_key
> > > > 6. Send the request.
> >
> > > > Also if helpfull, i am using following values
> > > > oauth_nonce=MD5.hexHash(getTimestampInSeconds())
> > > > oauth_signature_method=HMAC-SHA1
> > > > oauth_version=1.0
> >
> > > > I have verified most of the things and looks good to me, also there
> is
> > > > very less possibility of generating wrong signature as I have used
> the
> > > > same signature to get the access token and was able to successfully
> > > > receive it.
> >
> > > > Any pointers highly appreciated.
> >
> > > > Thanks,
> > > > Rahul
>

[twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

[Rahul]

Taylor,

A quick update on this. I tried generating the signature from my
library and the page mentioned below they both seems tbe exactly the
same.

http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/

What else can be the reason and how come twitter is responding with
Incorrect Signature ?

Thanks,
Rahul

On Apr 29, 1:19 pm, Rahul  wrote:
> Taylor,
>
> Thanks for taking a look at it. and to answer your question yes I do
> pass the status in the signature basetring.
>
> Also below is my string which i pass to the below mentioned toSign
> variable.
>
> toSign:
> POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> %2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
> %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> xxx%26oauth_version%3D1.0%26status
> %3Dhurray
>
>     Mac mac = Mac.getInstance(HMAC_SHA1);
>     mac.init(key);
>     byte[] bytes = mac.doFinal(toSign.getBytes(UTF8));
>
> and in the key i pass: consumerSecret + '&' + tokenSecret
>
> Thanks,
> Rahul
>
> On Apr 29, 12:46 pm, Taylor Singletary 
> wrote:
>
>
>
> > Hi Rahul,
>
> > When you are POSTing to statuses/update.xml -- are you including the status
> > that you are posting in your signature base string? As a URL-encoded
> > parameter, it should be included in both your POST body and the signature
> > base string (but not in the HTTP authorization header).
>
> > Taylor Singletary
> > Developer Advocate, Twitterhttp://twitter.com/episod
>
> > On Thu, Apr 29, 2010 at 9:35 AM, Rahul  wrote:
> > > Folks,
>
> > > I have been trying this and have already spent lot of time on this but
> > > what i don't understand is how is getting the access token working and
> > > post to update is not working when i am using the same signature
> > > generation method for both the requests.
>
> > > Here is my complete scenario.
> > > 1. fetch the request token
> > > 2. redirect the user to the authurize page
> > > 3. get the verifier from the new called back url
> > > 4. getting the access token by passing oauth_token and auth_verifier
> > > 5. create a new post request for update and sign the request with
> > > HMAC.sign(toSign, consumerSecret + '&' + tokenSecret)
> > >   Note: toSign is the request with the following headers :
> > > oauth_timestamp, oauth_signature_method, oauth_version, oauth_nonce,
> > > oauth_consumer_key
> > > 6. Send the request.
>
> > > Also if helpfull, i am using following values
> > > oauth_nonce=MD5.hexHash(getTimestampInSeconds())
> > > oauth_signature_method=HMAC-SHA1
> > > oauth_version=1.0
>
> > > I have verified most of the things and looks good to me, also there is
> > > very less possibility of generating wrong signature as I have used the
> > > same signature to get the access token and was able to successfully
> > > receive it.
>
> > > Any pointers highly appreciated.
>
> > > Thanks,
> > > Rahul

[twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

[Rahul]

Any Clues or suggestions ?

Thanks,
Rahul

On Apr 29, 1:19 pm, Rahul  wrote:
> Taylor,
>
> Thanks for taking a look at it. and to answer your question yes I do
> pass the status in the signature basetring.
>
> Also below is my string which i pass to the below mentioned toSign
> variable.
>
> toSign:
> POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
> %2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
> %3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
> SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
> xxx%26oauth_version%3D1.0%26status
> %3Dhurray
>
>     Mac mac = Mac.getInstance(HMAC_SHA1);
>     mac.init(key);
>     byte[] bytes = mac.doFinal(toSign.getBytes(UTF8));
>
> and in the key i pass: consumerSecret + '&' + tokenSecret
>
> Thanks,
> Rahul
>
> On Apr 29, 12:46 pm, Taylor Singletary 
> wrote:
>
>
>
> > Hi Rahul,
>
> > When you are POSTing to statuses/update.xml -- are you including the status
> > that you are posting in your signature base string? As a URL-encoded
> > parameter, it should be included in both your POST body and the signature
> > base string (but not in the HTTP authorization header).
>
> > Taylor Singletary
> > Developer Advocate, Twitterhttp://twitter.com/episod
>
> > On Thu, Apr 29, 2010 at 9:35 AM, Rahul  wrote:
> > > Folks,
>
> > > I have been trying this and have already spent lot of time on this but
> > > what i don't understand is how is getting the access token working and
> > > post to update is not working when i am using the same signature
> > > generation method for both the requests.
>
> > > Here is my complete scenario.
> > > 1. fetch the request token
> > > 2. redirect the user to the authurize page
> > > 3. get the verifier from the new called back url
> > > 4. getting the access token by passing oauth_token and auth_verifier
> > > 5. create a new post request for update and sign the request with
> > > HMAC.sign(toSign, consumerSecret + '&' + tokenSecret)
> > >   Note: toSign is the request with the following headers :
> > > oauth_timestamp, oauth_signature_method, oauth_version, oauth_nonce,
> > > oauth_consumer_key
> > > 6. Send the request.
>
> > > Also if helpfull, i am using following values
> > > oauth_nonce=MD5.hexHash(getTimestampInSeconds())
> > > oauth_signature_method=HMAC-SHA1
> > > oauth_version=1.0
>
> > > I have verified most of the things and looks good to me, also there is
> > > very less possibility of generating wrong signature as I have used the
> > > same signature to get the access token and was able to successfully
> > > receive it.
>
> > > Any pointers highly appreciated.
>
> > > Thanks,
> > > Rahul

Re: [twitter-dev] API Suggestion - Add Meta Data to twitter links...

[Abraham Williams]

Twitter Annotations have been announced. Lets you add lots of metadata to
statuses.

http://groups.google.com/group/twitter-development-talk/msg/e6394e433b6582c5

Abraham

On Thu, Apr 29, 2010 at 11:39, mishagray  wrote:

> One thought that I have had, is that 3rd party developers can't ADD
> any more detail to Twitter posts, than what is contained inside the
> 120 characters, except for maybe location data.
>
> However with the growth of embedding LINKS inside of tweets, would it
> make sense to develop a Twitter XML Meta data SCHEMA to add meta data
> INSIDE THE LINK.
>
> For example, if the link points to a VIDEO, than the inside the URL,
> the user could add standard "tweet" meta data explaining to twitter
> clients that the tweet itself contains a video, that could be directly
> embedded into a client.
>
> I know Google Buzz is doing some "intelligent" dipping into embedded
> links, but this would establish a Twitter "Standard" for any twitter
> with a link in it.
>
> Therefore, ANY tweet containing an URL, could be quickly queried for
> the XML metadata, and be able to extract things like a PHOTO, VIDEO,
> or even widgets, feeds, people, places, etc.
> You could also include the original full message that exceed the 140
> character limit, in the case where a message was truncated from
> another source.
> Maybe even a way to embed the required "embed" code so that twitter
> clients properly display the item inside a client.
>
> Is there anything like this already?
>



-- 
Abraham Williams | Developer for hire | http://abrah.am
@abraham | http://projects.abrah.am | http://blog.abrah.am
This email is: [ ] shareable [x] ask first [ ] private.

[twitter-dev] Is there a popup sized or small dimensions version of the oauth login page?

[app]

My twitter application is a web application in a tiny widget without a
lot of height or width, forwarding the user to the default oauth login
form on Twitter is an undesirable user experience give that the
existing page does not fit in the widgets dimensions. Facebook allows
developers to provide a "popup" param for their login which provides a
compact login page, does Twitter offer anything similar?

[twitter-dev] Re: Trouble with OAuth Consumer example in Java

[Thom Nichols]

Hi Taylor,

Thanks for your quick response.

So I did notice the ampersand at the end of the consumer secret
(normally it's between the consumer secret and the token secret,
right?)  The HMAC_SHA1 class that I'm attempting to use in my above
example does that (line 69 of HMAC_SHA1.java), and in my code I did
the same.  As for url-encoding the signature, well, you can see that's
not the difference between what I'm generating and what the doc
shows.  For what it's worth, my code and net.oauth.signature.HMAC_SHA1
generate the same signature, but it's different from what's in the
Twitter documentation :|

I've put up an example of my code on PasteBin so you can run it
entirely independent of any other libraries.  If anyone can get it to
generate the same signature that the documentation says it should be,
I'll be thrilled :)
http://thomnichols.pastebin.com/w6i47wNA

Thanks.
-Tom

On Apr 29, 12:13 pm, Taylor Singletary 
wrote:
> Hi Thom,
>
> I like your approach. I think there are two things possibly wrong in your
> implementation.
>
> The first: Your signing key needs to have the "&" character at the end, even
> when there's no additional oauth_token_secret in the request.
>
> Instead, of your signing key being
> "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98"
> it should be "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98&" (this part is
> mentioned as part of the examples in this section on our auth document)
>
> The second: One detail I may have omitted in the documentation that might be
> key for you here is the following snippet from the OAuth specification:
>
> oauth_signature is set to S, first base64-encoded per [RFC2045] (Freed, N.
> and N. Borenstein, “Multipurpose Internet Mail Extensions (MIME) Part One:
> Format of Internet Message Bodies,” .)
> section 6.8, then URL-encoded per
> Parameter
> Encoding (Parameter Encoding)
> .
>
> Hope this helps! The second point of information is often a non-relevant,
> but it's good to keep in mind.
>
> Taylor Singletary
> Developer Advocate, Twitterhttp://twitter.com/episod
>
> On Thu, Apr 29, 2010 at 8:56 AM, Thom Nichols  wrote:
> > So I'm trying to implement an OAuth consumer* and running into some
> > trouble.  As a sanity check I'm trying to replicate the example
> > provided in the dev documentation (http://dev.twitter.com/pages/
> > auth#request-token).  I'm stuck when generating the signature for the
> > request.  That is, if I use the example parameters and example secret
> > key, the signature in the example doesn't match the signature I'm
> > generating.  So I took another step back to see if I can use the
> > net.oauth Java implementation, and _that_ doesn't create a signature
> > matching what's in the example either!  So either I'm doing something
> > painfully wrong or the Twitter documentation is incorrect.
>
> > If I take the 'base string' in the documentation and try to sign it
> > with the 'signing key' from the example, it's only a couple lines of
> > Groovy to use the net.oauth API:
>
> > import net.oauth.signature.HMAC_SHA1
>
> > // string from the example
> > def str = 'POST&https%3A%2F%2Fapi.twitter.com%2Foauth
> > %2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost
> > %253A3005%252Fthe_dance%252Fprocess_callback%253Fservice_provider_id
> > %253D11%26oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce
> > %3DQP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk%26oauth_signature_method
> > %3DHMAC_SHA1%26oauth_timestamp%3D1272323042%26oauth_version%3D1.0'
>
> > // use the consumer secret from the example:
> > def hmac = new
> > HMAC_SHA1(consumerSecret:'MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98')
>
> > println hmac.getSignature(str)
> > // prints 'cz+LlAuzclTvE2YQiNogw3dC4yo=
> > // Example gives: 8wUi7m5HFQy76nowoCThusfgB+Q=
>
> > Any ideas?  Let me reiterate -- I know i can't use the example secret
> > key & parameters in my own code...  I'm trying to use some 'known
> > constant' to verify that at least I'm performing the hash operation
> > correctly.  My _real_ code uses javax.crypto.Mac similar to what's
> > being done by net.oauth...HMAC_SHA1.  You can see the code here:
>
> >http://oauth.googlecode.com/svn/code/java/core/commons/src/main/java/...
>
> > So my theory is, either the Twitter documentation is wrong and I
> > shouldn't trust it as a basis for implementing my own oauth consumer
> > code, or there's some problem with how javax.crypto.Mac is being
> > used...  Or I'm doing something else totally idiotic.  Any ideas?
>
> > Thanks.
>
> > * partially as just an academic exercise, I know there are other OAuth
> > implementations for Java.  So please don't ask "why don't you just use
> > Twitter4j or OAuth library ?"  :)

[twitter-dev] API call to turn on location-based tweets?

[sabernar]

Is there an API call where I can turn on an auth'd user's location
setting?  I'm referring to the setting "Add a location to your
tweets".  In my app, I want to give the users a choice on whether they
can attach their location to their tweet, but it only works if the
user has that setting in the profile checked.  Since it's an opt-in,
not many people have that setting on.  Is there a way I can activate
that setting for the user if they so choose?

Thanks,

S

[twitter-dev] API Suggestion - Add Meta Data to twitter links...

[mishagray]

One thought that I have had, is that 3rd party developers can't ADD
any more detail to Twitter posts, than what is contained inside the
120 characters, except for maybe location data.

However with the growth of embedding LINKS inside of tweets, would it
make sense to develop a Twitter XML Meta data SCHEMA to add meta data
INSIDE THE LINK.

For example, if the link points to a VIDEO, than the inside the URL,
the user could add standard "tweet" meta data explaining to twitter
clients that the tweet itself contains a video, that could be directly
embedded into a client.

I know Google Buzz is doing some "intelligent" dipping into embedded
links, but this would establish a Twitter "Standard" for any twitter
with a link in it.

Therefore, ANY tweet containing an URL, could be quickly queried for
the XML metadata, and be able to extract things like a PHOTO, VIDEO,
or even widgets, feeds, people, places, etc.
You could also include the original full message that exceed the 140
character limit, in the case where a message was truncated from
another source.
Maybe even a way to embed the required "embed" code so that twitter
clients properly display the item inside a client.

Is there anything like this already?

Re: [twitter-dev] Re: Search API - from:xxx not returning @ replies

[Abraham Williams]

Probably related to this:
http://groups.google.com/group/twitter-development-talk/msg/3af17ba93d66abbf

On Thu, Apr 29, 2010 at 11:52, mikawhite  wrote:

> Comcastbonnie confirms this is not unusual:
>
> http://twitter.com/ComcastBonnie/statuses/13083585494
>
>
> That this error happens for some and not others is not surprising.
> With new focus on the Search API this type of issue can be addressed :)
>



-- 
Abraham Williams | Developer for hire | http://abrah.am
@abraham | http://projects.abrah.am | http://blog.abrah.am
This email is: [ ] shareable [x] ask first [ ] private.

[twitter-dev] Re: Search API - from:xxx not returning @ replies

[mikawhite]

Comcastbonnie confirms this is not unusual:

http://twitter.com/ComcastBonnie/statuses/13083585494


That this error happens for some and not others is not surprising.
With new focus on the Search API this type of issue can be addressed :)

Re: [twitter-dev] Search API - from:xxx not returning @ replies

[Abraham Williams]

The API worked for me.

http://hurl.it/hurls/b038fc2feab35f899dad30dc3d30de8b310b8520/016284e356b27667be31737e2aeb7d6593ea87dc

On Thu, Apr 29, 2010 at 11:39, mikawhite  wrote:

>
> Thursday 2010.04.29 - 11:33am PDT
>
> Search API : No posted @ replies are found
>
> I tried
>
> from:comcastbonnie
> from:al3x
> from:raffi
>
>
>
> Search web is OK.
>



-- 
Abraham Williams | Developer for hire | http://abrah.am
@abraham | http://projects.abrah.am | http://blog.abrah.am
This email is: [ ] shareable [x] ask first [ ] private.

[twitter-dev] Search API - from:xxx not returning @ replies

[mikawhite]

Thursday 2010.04.29 - 11:33am PDT

Search API : No posted @ replies are found

I tried

from:comcastbonnie
from:al3x
from:raffi



Search web is OK.

Re: [twitter-dev] What is the best way to find all the replies to a tweet?

[Abraham Williams]

There is no quicker way other then maybe using the Streaming API but you
will not get any historical data from the Stream.

Abraham

On Thu, Apr 29, 2010 at 00:07, Dushyant  wrote:

> I can think of only one efficient way which is to use the status
> mentions. Is there any other quicker way?
>
> http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-statuses-mentions
>



-- 
Abraham Williams | Developer for hire | http://abrah.am
@abraham | http://projects.abrah.am | http://blog.abrah.am
This email is: [ ] shareable [x] ask first [ ] private.

Re: [twitter-dev] Re: xAuth Approval?

[Abraham Williams]

On Thu, Apr 29, 2010 at 03:17, Ivo  wrote:

> Also I can't find the word "Browser" in "Twitter Client", and what's
> so secure about the Browser anyway? There's no reason to trust it!
> It's just another program, like the Twitter Client of your choice is
> too. Or can you make Mozilla responsible if someone gets his Accounts
> hacked while using Firefox? :P
>

How is Google Chrome, a browser built by one of the largest corporations on
the planet based off an open source project of which I can audit the code
anytime I wish, not more trustworthy than Generic Twitter Client 5000™ built
by Bob in his mom's basement?

Abraham

-- 
Abraham Williams | Developer for hire | http://abrah.am
@abraham | http://projects.abrah.am | http://blog.abrah.am
This email is: [ ] shareable [x] ask first [ ] private.

[twitter-dev] Re: Is /users/show broken or is it just me?

[Ryan Rosario]

Hi Mark,

My code has been running for 2 days so far without this happening.
If it happens again I will get you a new set of IDs and cursors.

R.

On Apr 27, 10:38 pm, Mark McBride  wrote:
> And... now this user works.  Can you still reproduce this issue?  If
> so, can you get me a new set of user IDs?
>
>    ---Mark
>
> http://twitter.com/mccv
>
>
>
> On Tue, Apr 27, 2010 at 1:47 PM, Ryan Rosario  wrote:
> > Thanks. Posted.
>
> > R.
>
> > On Apr 25, 3:51 pm, Mark McBride  wrote:
> >> I can reproduce this, so we should be good to go.  Can one of you open
> >> an issue on the code tracker so we can track it?
>
> >>    ---Mark
>
> >>http://twitter.com/mccv
>
> >> On Sun, Apr 25, 2010 at 11:25 AM, Ryan Rosario  
> >> wrote:
> >> > Here are the ones I have found so far. For the first one, I am able to
> >> > reproduce the error on this one cursor.
>
> >> >http://api.twitter.com/1/statuses/followers/pothos.json?cursor=129860...
> >> > User numeric ID: 3598791   (cursor unknown)
>
> >> > R.
>
> >> > On Apr 25, 10:26 am, Raffi Krikorian  wrote:
> >> >> this shouldn't happen - feel free to give a sample of the "poison user" 
> >> >> IDs,
> >> >> and we'll investigate them.  we already have one, and we'll look into 
> >> >> more.
>
> >> >> On Sun, Apr 25, 2010 at 10:16 AM, Ryan Rosario 
> >> >> wrote:
>
> >> >> > I've found that all of my 500 isses are related to "poison users." For
> >> >> > whatever reason, I can never get their followers. I retry on 500, so I
> >> >> > end up with an infinite loop of 500s for these users. When 500s happen
> >> >> > with other users, my program usually succeeds after 1 or 2 retries.
>
> >> >> > The only way to resolve it is to kill my process, add the user to a
> >> >> > blacklist, and start over. It's really frustrating.
>
> >> >> > Ryan
>
> >> >> > On Apr 25, 5:31 am, Dossy Shiobara  wrote:
> >> >> > > From my logged errors ... here's an example:
>
> >> >> > >http://api.twitter.com/1/users/show.xml?id=4583991
>
> >> >> > > On 4/25/10 12:37 AM, Mark McBride wrote:
>
> >> >> > > > Without more details this is going to be really hard to 
> >> >> > > > troubleshoot.
> >> >> > > > Can you reliably reproduce this?  What are the exact URIs you're
> >> >> > > > calling that return 500s?  What user are you using to make these
> >> >> > > > calls?  What authentication method?
>
> >> >> > > --
> >> >> > > Dossy Shiobara              | do...@panoptic.com |http://dossy.org/
> >> >> > > Panoptic Computer Network   |http://panoptic.com/
> >> >> > >   "He realized the fastest way to change is to laugh at your own
> >> >> > >     folly -- then you can let go and quickly move on." (p. 70)
>
> >> >> > > --
> >> >> > > Subscription settings:
> >> >> >http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
>
> >> >> --
> >> >> Raffi Krikorian
> >> >> Twitter Platform Teamhttp://twitter.com/raffi

Re: [twitter-dev] Rate limit status with authentication credentials for authenticated user account.

[Abraham Williams]

http://dev.twitter.com/doc/get/account/rate_limit_status

You should avoid
using username/password to authenticate as you will just have to update the
code in June when BasicAuth is removed.

Abraham

On Thu, Apr 29, 2010 at 03:58, Rushikesh Bhanage wrote:

> Hi there,
>
>We are developing an app in which we need little of your help. may I
> know how to get rate-limit status if we provide authentication credentials
> of an authenticated user. is it possible if we provide user name and
> password manually through code instead of twitter OAuth. If it is, how can
> we do that?
>
>
>
> waiting for reply eagerly,
> Thank you very much in advance.
>
>


-- 
Abraham Williams | Developer for hire | http://abrah.am
@abraham | http://projects.abrah.am | http://blog.abrah.am
This email is: [ ] shareable [x] ask first [ ] private.

[twitter-dev] Re: Incorrect signature when calling update url /1/statuses/update.xml

[Rahul]

Taylor,

Thanks for taking a look at it. and to answer your question yes I do
pass the status in the signature basetring.

Also below is my string which i pass to the below mentioned toSign
variable.

toSign:
POST&https%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses
%2Fupdate.xml&oauth_consumer_key%xxx%26oauth_nonce
%3Df2756a360f610d375722ee97e4c2391f%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1272560943%26oauth_token%3D36554645-
xxx%26oauth_version%3D1.0%26status
%3Dhurray

Mac mac = Mac.getInstance(HMAC_SHA1);
mac.init(key);
byte[] bytes = mac.doFinal(toSign.getBytes(UTF8));

and in the key i pass: consumerSecret + '&' + tokenSecret

Thanks,
Rahul

On Apr 29, 12:46 pm, Taylor Singletary 
wrote:
> Hi Rahul,
>
> When you are POSTing to statuses/update.xml -- are you including the status
> that you are posting in your signature base string? As a URL-encoded
> parameter, it should be included in both your POST body and the signature
> base string (but not in the HTTP authorization header).
>
> Taylor Singletary
> Developer Advocate, Twitterhttp://twitter.com/episod
>
>
>
> On Thu, Apr 29, 2010 at 9:35 AM, Rahul  wrote:
> > Folks,
>
> > I have been trying this and have already spent lot of time on this but
> > what i don't understand is how is getting the access token working and
> > post to update is not working when i am using the same signature
> > generation method for both the requests.
>
> > Here is my complete scenario.
> > 1. fetch the request token
> > 2. redirect the user to the authurize page
> > 3. get the verifier from the new called back url
> > 4. getting the access token by passing oauth_token and auth_verifier
> > 5. create a new post request for update and sign the request with
> > HMAC.sign(toSign, consumerSecret + '&' + tokenSecret)
> >   Note: toSign is the request with the following headers :
> > oauth_timestamp, oauth_signature_method, oauth_version, oauth_nonce,
> > oauth_consumer_key
> > 6. Send the request.
>
> > Also if helpfull, i am using following values
> > oauth_nonce=MD5.hexHash(getTimestampInSeconds())
> > oauth_signature_method=HMAC-SHA1
> > oauth_version=1.0
>
> > I have verified most of the things and looks good to me, also there is
> > very less possibility of generating wrong signature as I have used the
> > same signature to get the access token and was able to successfully
> > receive it.
>
> > Any pointers highly appreciated.
>
> > Thanks,
> > Rahul

Re: [twitter-dev] Incorrect signature when calling update url /1/statuses/update.xml

[Taylor Singletary]

Hi Rahul,

When you are POSTing to statuses/update.xml -- are you including the status
that you are posting in your signature base string? As a URL-encoded
parameter, it should be included in both your POST body and the signature
base string (but not in the HTTP authorization header).

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Thu, Apr 29, 2010 at 9:35 AM, Rahul  wrote:

> Folks,
>
> I have been trying this and have already spent lot of time on this but
> what i don't understand is how is getting the access token working and
> post to update is not working when i am using the same signature
> generation method for both the requests.
>
> Here is my complete scenario.
> 1. fetch the request token
> 2. redirect the user to the authurize page
> 3. get the verifier from the new called back url
> 4. getting the access token by passing oauth_token and auth_verifier
> 5. create a new post request for update and sign the request with
> HMAC.sign(toSign, consumerSecret + '&' + tokenSecret)
>   Note: toSign is the request with the following headers :
> oauth_timestamp, oauth_signature_method, oauth_version, oauth_nonce,
> oauth_consumer_key
> 6. Send the request.
>
> Also if helpfull, i am using following values
> oauth_nonce=MD5.hexHash(getTimestampInSeconds())
> oauth_signature_method=HMAC-SHA1
> oauth_version=1.0
>
> I have verified most of the things and looks good to me, also there is
> very less possibility of generating wrong signature as I have used the
> same signature to get the access token and was able to successfully
> receive it.
>
> Any pointers highly appreciated.
>
> Thanks,
> Rahul
>

[twitter-dev] Incorrect signature when calling update url /1/statuses/update.xml

[Rahul]

Folks,

I have been trying this and have already spent lot of time on this but
what i don't understand is how is getting the access token working and
post to update is not working when i am using the same signature
generation method for both the requests.

Here is my complete scenario.
1. fetch the request token
2. redirect the user to the authurize page
3. get the verifier from the new called back url
4. getting the access token by passing oauth_token and auth_verifier
5. create a new post request for update and sign the request with
HMAC.sign(toSign, consumerSecret + '&' + tokenSecret)
   Note: toSign is the request with the following headers :
oauth_timestamp, oauth_signature_method, oauth_version, oauth_nonce,
oauth_consumer_key
6. Send the request.

Also if helpfull, i am using following values
oauth_nonce=MD5.hexHash(getTimestampInSeconds())
oauth_signature_method=HMAC-SHA1
oauth_version=1.0

I have verified most of the things and looks good to me, also there is
very less possibility of generating wrong signature as I have used the
same signature to get the access token and was able to successfully
receive it.

Any pointers highly appreciated.

Thanks,
Rahul

[twitter-dev] how do I put Twitter on my site in flash?

[JAIMESKT]

I have a flash website, but I do not know how to view messages in the
twitter page on my site, someone could help me with this

Re: [twitter-dev] Re: one application authentication

[Taylor Singletary]

Hi Abava,

There's a feature now to get your access token for any app you have
registered. You can find this by navigating to one of your application
detail pages on http://dev.twitter.com/apps and clicking on the "My Token"
link. Then you can use the access token and secret given to you in your own
application easily. There are more tips on the single access token model
here: http://bit.ly/1token

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Tue, Apr 27, 2010 at 2:28 AM, Abava  wrote:

> >I'll see if there's anything we can do about offering a "give me /my/
> access
> yes, please let us know. That is why I wrote this qyuestion. I think
> this option should be somewhere within
> 'my account' settings on Twitter
>
> On Apr 26, 6:17 pm, Taylor Singletary 
> wrote:
> > Obtaining a single access token for your application without necessarily
> > implementing the entire OAuth dance shouldn't be too difficult -- there
> are
> > many OAuth libraries that include command-line tools to acquire access
> > tokens in this way. You could also use Twurl (
> http://github.com/marcel/twurl). My OAuth Dancer (
> http://bit.ly/oauth-dancer) tool also lets you do this through a server
> > interface your run on your own machine. I don't recommend sharing your
> > consumer key or secret to any third-party website to acquire this
> > information, but using a tool locally on your own machine is likely the
> best
> > method.
> >
> > I'll see if there's anything we can do about offering a "give me /my/
> access
> > token & access token secret for my application" feature on
> > dev.twitter.comto help with this. It'd then be as simple as porting
> > those two pieces of
> > information into whatever database, configuration file, or otherwise you
> > would use to store the access token and access token secret. As with any
> of
> > these kind of keys though, it wouldn't be appropriate to distribute
> access
> > tokens of any kind with your software -- whether on github, in a desktop
> > application, or in plaintext in a Javascript file.
> >
> > Taylor Singletary
> > Developer Advocate, Twitterhttp://twitter.com/episod
> >
> > On Mon, Apr 26, 2010 at 5:29 AM, Ken  wrote:
> > > With OAuthcalypse looming, there is an urgent need for your service. I
> > > doubt that every API user with a "Twitter-spitter" even knows about
> > > the deadline. If you can convince them of your benign intent, great.
> > > If you have thought of a way to make it pay, even better!
> >
> > > On Apr 26, 10:26 am, Harshad RJ  wrote:
> > > > On Mon, Apr 26, 2010 at 1:50 PM, Ken  wrote:
> > > > > For security reasons this service should be left to Twitter, but a
> > > > > third party could deliver the same tokens if provided with the
> app's
> > > > > Consumer key and secret. A bit messy though - need to change the
> > > > > requesting app's callback URL - but it's doable.
> >
> > > > > Is someone already doing this? Would that violate ToS?
> >
> > > > Just FYI, I am working on a similar concept. Waiting for
> clarifications
> > > from
> > > > Twitter before releasing it publicly.
> >
> > > > --
> > > > Harshad RJhttp://hrj.wikidot.com
> >
> > > > --
> > > > Subscription settings:
> > >http://groups.google.com/group/twitter-development-talk/subscribe?hl=en
>

[twitter-dev] Re: Geolocation bug?

[Ken]

Here is the error from clicking on a neighborhood link, copied from
Firebug:

I.geometry is null
http://a1.twimg.com/a/1272477713/javascripts/geov1.js?1272481439
Line 1

Re: [twitter-dev] Trouble with OAuth Consumer example in Java

[Taylor Singletary]

Hi Thom,

I like your approach. I think there are two things possibly wrong in your
implementation.

The first: Your signing key needs to have the "&" character at the end, even
when there's no additional oauth_token_secret in the request.

Instead, of your signing key being
"MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98"
it should be "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98&" (this part is
mentioned as part of the examples in this section on our auth document)

The second: One detail I may have omitted in the documentation that might be
key for you here is the following snippet from the OAuth specification:

oauth_signature is set to S, first base64-encoded per [RFC2045] (Freed, N.
and N. Borenstein, “Multipurpose Internet Mail Extensions (MIME) Part One:
Format of Internet Message Bodies,” .)
section 6.8, then URL-encoded per
Parameter
Encoding (Parameter Encoding)
.



Hope this helps! The second point of information is often a non-relevant,
but it's good to keep in mind.

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Thu, Apr 29, 2010 at 8:56 AM, Thom Nichols  wrote:

> So I'm trying to implement an OAuth consumer* and running into some
> trouble.  As a sanity check I'm trying to replicate the example
> provided in the dev documentation (http://dev.twitter.com/pages/
> auth#request-token).  I'm stuck when generating the signature for the
> request.  That is, if I use the example parameters and example secret
> key, the signature in the example doesn't match the signature I'm
> generating.  So I took another step back to see if I can use the
> net.oauth Java implementation, and _that_ doesn't create a signature
> matching what's in the example either!  So either I'm doing something
> painfully wrong or the Twitter documentation is incorrect.
>
> If I take the 'base string' in the documentation and try to sign it
> with the 'signing key' from the example, it's only a couple lines of
> Groovy to use the net.oauth API:
>
> import net.oauth.signature.HMAC_SHA1
>
> // string from the example
> def str = 'POST&https%3A%2F%2Fapi.twitter.com%2Foauth
> %2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost
> %253A3005%252Fthe_dance%252Fprocess_callback%253Fservice_provider_id
> %253D11%26oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce
> %3DQP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk%26oauth_signature_method
> %3DHMAC_SHA1%26oauth_timestamp%3D1272323042%26oauth_version%3D1.0'
>
> // use the consumer secret from the example:
> def hmac = new
> HMAC_SHA1(consumerSecret:'MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98')
>
>
> println hmac.getSignature(str)
> // prints 'cz+LlAuzclTvE2YQiNogw3dC4yo=
> // Example gives: 8wUi7m5HFQy76nowoCThusfgB+Q=
>
> Any ideas?  Let me reiterate -- I know i can't use the example secret
> key & parameters in my own code...  I'm trying to use some 'known
> constant' to verify that at least I'm performing the hash operation
> correctly.  My _real_ code uses javax.crypto.Mac similar to what's
> being done by net.oauth...HMAC_SHA1.  You can see the code here:
>
> http://oauth.googlecode.com/svn/code/java/core/commons/src/main/java/net/oauth/signature/HMAC_SHA1.java
>
> So my theory is, either the Twitter documentation is wrong and I
> shouldn't trust it as a basis for implementing my own oauth consumer
> code, or there's some problem with how javax.crypto.Mac is being
> used...  Or I'm doing something else totally idiotic.  Any ideas?
>
> Thanks.
>
>
>
> * partially as just an academic exercise, I know there are other OAuth
> implementations for Java.  So please don't ask "why don't you just use
> Twitter4j or OAuth library ?"  :)
>

[twitter-dev] Geolocation bug?

[Ken]

Hey sorry to report a bug here..  (I did finally find http://twitter.com/HELP
via Google, but there's no confirmation that the report was received.
Upon submission of the bug report I was redirected to 
http://twitter.com/help/start.)

Anyway, it is sort of a developer thing, concerning geolocated tweets.

Some tweets that include geodata are tagged "via [appname] from
[neighborhood]" while others are tagged "via [appname] from here".
(There's been a lot of weirdness in the neighborhood names, at least
here in Europe.)

Problem is, on Firefox under both Ubuntu 9.10 and Windows 7, clicking
on the "neighborhood" links doesn't work. No response, no little map-
in-a-box. The "from here" ones work fine.

Is it only me?

[twitter-dev] Trouble with OAuth Consumer example in Java

[Thom Nichols]

So I'm trying to implement an OAuth consumer* and running into some
trouble.  As a sanity check I'm trying to replicate the example
provided in the dev documentation (http://dev.twitter.com/pages/
auth#request-token).  I'm stuck when generating the signature for the
request.  That is, if I use the example parameters and example secret
key, the signature in the example doesn't match the signature I'm
generating.  So I took another step back to see if I can use the
net.oauth Java implementation, and _that_ doesn't create a signature
matching what's in the example either!  So either I'm doing something
painfully wrong or the Twitter documentation is incorrect.

If I take the 'base string' in the documentation and try to sign it
with the 'signing key' from the example, it's only a couple lines of
Groovy to use the net.oauth API:

import net.oauth.signature.HMAC_SHA1

// string from the example
def str = 'POST&https%3A%2F%2Fapi.twitter.com%2Foauth
%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost
%253A3005%252Fthe_dance%252Fprocess_callback%253Fservice_provider_id
%253D11%26oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce
%3DQP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk%26oauth_signature_method
%3DHMAC_SHA1%26oauth_timestamp%3D1272323042%26oauth_version%3D1.0'

// use the consumer secret from the example:
def hmac = new
HMAC_SHA1(consumerSecret:'MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98')


println hmac.getSignature(str)
// prints 'cz+LlAuzclTvE2YQiNogw3dC4yo=
// Example gives: 8wUi7m5HFQy76nowoCThusfgB+Q=

Any ideas?  Let me reiterate -- I know i can't use the example secret
key & parameters in my own code...  I'm trying to use some 'known
constant' to verify that at least I'm performing the hash operation
correctly.  My _real_ code uses javax.crypto.Mac similar to what's
being done by net.oauth...HMAC_SHA1.  You can see the code here:
http://oauth.googlecode.com/svn/code/java/core/commons/src/main/java/net/oauth/signature/HMAC_SHA1.java

So my theory is, either the Twitter documentation is wrong and I
shouldn't trust it as a basis for implementing my own oauth consumer
code, or there's some problem with how javax.crypto.Mac is being
used...  Or I'm doing something else totally idiotic.  Any ideas?

Thanks.



* partially as just an academic exercise, I know there are other OAuth
implementations for Java.  So please don't ask "why don't you just use
Twitter4j or OAuth library ?"  :)

Re: [twitter-dev] Iphone search option question

[Taylor Singletary]

Today, the Search API is accessible on http://search.twitter.com and doesn't
require OAuth. You identify yourself by setting a HTTP User-Agent with the
HTTP library you use to perform searches.

You'll be issuing requests like
http://search.twitter.com/search.json?q=twitter

Then consuming the output by likely consuming the JSON output into a hash
structure and working from there.

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Thu, Apr 29, 2010 at 7:28 AM, dw I  wrote:

> Hi!
>
> Im trying to put an twitter-search option (so no sign-in) in my iphone
> application, for an assignment, but dont understand how to do so. All
> the resources seem to be for webbased applications.. Can somebody
> please help me get started?Would be very much appriciated!!!
> Thanks!
>

Re: [twitter-dev] Re: server app publishing twitter status updates with oauth?

[Lil Peck]

Squeaky wheel here again. Some of us have been asking for oauth
examples for our single user web apps (currently basic auth) that
automatically post updates via either php curl or classic asp xhttp.
While we're all trying to wrap our heads around oauth, it seems to me
that there certainly must be lots of duplication of effort and wasted
time.

Does anyone have a simple working example of either that doesn't
require a PHP in computer programming to understand? 2 legged oauth
for dummies, anyone? ;)

[twitter-dev] Re: get public replies (or mentions) to following

[Orian Marx (@orian)]

You could try requesting an invite here: http://api.replyto.it/

On Apr 28, 11:57 pm, athanhcong  wrote:
> Hi all,
> In my apps, I want to (1)"get all recent official replies (or
> mentions) to my following and also the tweet's ids that replies reply
> to" OR (2)"get all replies to a tweet"
> I found that I can use search API to get all recent replies to a
> username or m, but the results don't give me the tweet's id that each
> search result reply to. To get that id I need to use "statuses/show/
> id" API to get full information of result-tweet. But this approach
> costs a lot of requests to server.
>
> Do you have any idea to solve this?
>
> Thanks.

Re: [twitter-dev] Re: Invalid / used nonce but only for certain user names?

[Taylor Singletary]

We have a weird error condition in the OAuth implementation right now that
throws invalid nonce errors when it's not necessarily the issue. We're still
tracking what exactly causes this down, but believe that it's not applicable
to the OAuth implementation rewrite we'll soon be rolling out.

In the meantime, when you get this error and you're fairly certain you've
never used the nonce before, if you can provide a signature base string and
authorization header corresponding to the failed request it will give us
better visibility into possible causation.

Thanks!

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Wed, Apr 28, 2010 at 7:15 PM, Dewald Pretorius  wrote:

> Cory,
>
> I have had similar issues. When you get that 401 error, you need to
> back off for a second or two, recalculate the nonce, and then resubmit
> the request.
>
> On Apr 28, 10:52 pm, Cory  wrote:
> > Anyone have any ideas about this? I'm really not sure where to go or
> > what to check from here, and I need to get this taken care of. Any
> > information would be appreciated!
>

Re: [twitter-dev] Re: server app publishing twitter status updates with oauth?

[Taylor Singletary]

Hi Simon,

You've figured out all the right answers! Glad to hear. SignPost should work
fine for you with Twitter, but I'll just mention that it has some issues
with other services with stricter OAuth implementations.

Wish you luck in finding your way to OAuth, and we're here to help if you
get stuck along the way.

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod


On Wed, Apr 28, 2010 at 4:32 PM, Simon  wrote:

> To reply to myself: I've figured most of this out now.
>
> (1)
> Yes, the app should be registered.
>
> Log on to the twitter account that messages will be published to, then
> go to "dev.twitter.com/apps" and add a new app.
>
> (2)
> When an app is defined by an account, the app is automatically added
> to that account's connections.
>
> (3)
> No, xauth is not the right tool. On the app page (either just after
> defining the app, or later by account settings | connections), the "my
> access token" button will create an authentication (token, secret)
> pair that can be used to authenticate the server app against the
> account. The "web-based authentication" step is then unnecessary.
> These auth tokes do not expire (unless you explicitly log onto the
> account and revoke the token).
>
> (4)
> It looks like the signing is not too complicated, but also non-
> trivial; oauth is simply more complex than basic auth. So using a lib
> is probably the best solution. The Signpost project (google) appears
> to have a nice small implementation.
>

[twitter-dev] Iphone search option question

[dw I]

Hi!

Im trying to put an twitter-search option (so no sign-in) in my iphone
application, for an assignment, but dont understand how to do so. All
the resources seem to be for webbased applications.. Can somebody
please help me get started?Would be very much appriciated!!!
Thanks!

Re: [twitter-dev] 413 errors from streaming api

[John Kalucki]

There are several conditions that will result in a 413. You'll get a
short text message back with the error code that should describe the
problem. Note that the default access role limits you to following
just 400 userids. You'll need elevated access to follow more.

Yes, please send POST params. URL params are useful for prototyping
and general hackery, but the length is limited.

-John Kalucki
http://twitter.com/jkalucki
Infrastructure, Twitter Inc.


On Wed, Apr 28, 2010 at 8:23 PM, Paul Tarjan  wrote:
> I'm connecting to the streaming API with many userids in the filter
> param, and quickly went over my URL request length and got HTTP 413.
>
> Can I send post params? How else can I get updates from a large set of
> users in a streaming fashion?
>
> Thanks
> Paul
>

Re: [twitter-dev] get public replies (or mentions) to following

[Niklas Deutschmann]

Hi,


In my apps, I want to (1)"get all recent official replies (or
mentions) to my following and also the tweet's ids that replies reply
to" OR (2)"get all replies to a tweet"


Here's a discussion on this feature - won't come very soon, I think:

http://code.google.com/p/twitter-api/issues/detail?id=142

Niklas

[twitter-dev] 413 errors from streaming api

[Paul Tarjan]

I'm connecting to the streaming API with many userids in the filter
param, and quickly went over my URL request length and got HTTP 413.

Can I send post params? How else can I get updates from a large set of
users in a streaming fashion?

Thanks
Paul

Re: [twitter-dev] Duplicate Statuses in Public Timeline

[John Kalucki]

What is your goal for this application?

Are you trying to get a sampling of statuses for analysis, or for
occasional casual display? If the former, you should use a sample
method on the Streaming API. If the later, please persist in your
quest for a reasonably unique result set. The public timeline isn't
used much anymore and regressions could theoretically and regrettably,
exist for a bit without anyone noticing.

-John Kalucki
http://twitter.com/jkalucki
Infrastructure, Twitter Inc.



On Thu, Apr 29, 2010 at 4:54 AM, mattarnold1977
 wrote:
> This is the third time I've reported this issue in the last couple of
> weeks.  I still have not received any word back from Twitter support
> regarding this issue.  My server log is filling up with duplicate
> status errors coming from the public timeline.  I'm waiting to hit the
> timeline until after the cache period, so it's not that.  And, yes
> it's not just duplicate status ids I'm seeing, it's also duplicate
> statuses as well.  Every time I hit the public timeline I compare the
> results against a months worth of data that I have saved.  Is anyone
> else having this issue?
>
> -Matt
>

Re: [twitter-dev] About update limits

[Raffi Krikorian]

the numbers are roughly broken up over the day.  and the limit applies to an
account.

and yes - there is a whitelisting for status/updates -- please e-mail
a...@twitter to ask for it.

On Thu, Apr 29, 2010 at 5:26 AM, akaii  wrote:

> This is what the FAQ has to say about status update limits:
>
> Updates: 1,000 per day. The daily update limit is further broken down
> into smaller limits for semi-hourly intervals. Retweets are counted as
> updates.
>
> I'm a little unclear as to what exactly is meant by "further broken
> down into smaller limits for semi-hourly intervals". Is the 1000 per
> day limit divided evenly between the 48 half hours each day (around 20
> or so tweets per half an hour?).
>
> Also, I'm assuming this limit applies to each unique account?
>
> Is this limit absolutely fixed? Or is there some equivalent to
> "whitelisting" for status/update limits as well?
>
> Thanks...
>



-- 
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi

[twitter-dev] Rate limit status with authentication credentials for authenticated user account.

[Rushikesh Bhanage]

Hi there,

   We are developing an app in which we need little of your help. may I know
how to get rate-limit status if we provide authentication credentials of an
authenticated user. is it possible if we provide user name and password
manually through code instead of twitter OAuth. If it is, how can we do
that?



waiting for reply eagerly,
Thank you very much in advance.

[twitter-dev] About update limits

[akaii]

This is what the FAQ has to say about status update limits:

Updates: 1,000 per day. The daily update limit is further broken down
into smaller limits for semi-hourly intervals. Retweets are counted as
updates.

I'm a little unclear as to what exactly is meant by "further broken
down into smaller limits for semi-hourly intervals". Is the 1000 per
day limit divided evenly between the 48 half hours each day (around 20
or so tweets per half an hour?).

Also, I'm assuming this limit applies to each unique account?

Is this limit absolutely fixed? Or is there some equivalent to
"whitelisting" for status/update limits as well?

Thanks...

Re: [twitter-dev] Duplicate Statuses in Public Timeline

[Raffi Krikorian]

hi matt.

are you using since_id on your public timeline calls?

On Thu, Apr 29, 2010 at 4:54 AM, mattarnold1977
wrote:

> This is the third time I've reported this issue in the last couple of
> weeks.  I still have not received any word back from Twitter support
> regarding this issue.  My server log is filling up with duplicate
> status errors coming from the public timeline.  I'm waiting to hit the
> timeline until after the cache period, so it's not that.  And, yes
> it's not just duplicate status ids I'm seeing, it's also duplicate
> statuses as well.  Every time I hit the public timeline I compare the
> results against a months worth of data that I have saved.  Is anyone
> else having this issue?
>
> -Matt
>



-- 
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi

[twitter-dev] Duplicate Statuses in Public Timeline

[mattarnold1977]

This is the third time I've reported this issue in the last couple of
weeks.  I still have not received any word back from Twitter support
regarding this issue.  My server log is filling up with duplicate
status errors coming from the public timeline.  I'm waiting to hit the
timeline until after the cache period, so it's not that.  And, yes
it's not just duplicate status ids I'm seeing, it's also duplicate
statuses as well.  Every time I hit the public timeline I compare the
results against a months worth of data that I have saved.  Is anyone
else having this issue?

-Matt

Re: [twitter-dev] Mobile OAuth Summary

[Raffi Krikorian]

hi.

i'll follow up on this - do you have a notion of what browsers, what phones,
etc. your users are coming from

On Thu, Apr 29, 2010 at 1:49 AM, twittme_mobi wrote:

> Hello,
>
> I migrated my mobile web site to OAuth.
> Now, I have a lot of users complaining that the OAuth page of twitter
> is not
> mobile friendly.Some of them are getting just a blank screen or just
> cannot open it.
>
> My honest question is - this is being discussed many times but where
> are we with this?
> Are all those users really suppose to get such a bad user experience?
> Why would you need a javascript
> on a login page?Is it so hard to create such page just for mobile
> browsers?
>
> Is anybody handling this - I mean it is an obvious problem that we
> have for more than a year already.
>
> Any comments on this are highly appreciated.
>



-- 
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi

[twitter-dev] Re: xAuth Approval?

[Ivo]

Well I don't like that.. does anybody here think about user
experience? What is a rock solid security model good for, when nobody
uses it because it's just cumbersome? As always in life, trade offs
need to be made. I could design a black box where nothing would ever
get in or out, but this box wouldn't be useful for anything...

Also I can't find the word "Browser" in "Twitter Client", and what's
so secure about the Browser anyway? There's no reason to trust it!
It's just another program, like the Twitter Client of your choice is
too. Or can you make Mozilla responsible if someone gets his Accounts
hacked while using Firefox? :P

PS: My client uses xAuth too, but I dismiss the password instantly
after the Request has been send, I think that's is a suitable
solution.


On Apr 27, 4:59 am, "M. Edward (Ed) Borasky" 
wrote:
> On 04/26/2010 05:16 PM, Cameron Kaiser wrote:
>
> >> xAuth is a method for which to exchange usernames and passwords for those
> >> tokens, without send the user through the workflow.  this is for two
> >> reasons: 1. mobile/desktop application authors have complained that it 
> >> makes
> >> their UX fugly when they bring up a web browser (i'll hold my opinions on
> >> this); and 2. web applications that have been storing usernames and
> >> passwords need a method to "bulk convert" all their users over to oauth
> >> tokens.
>
> > and 3. Browserless environments. I'm pretty sure that was one of the initial
> > motivators way back when the crud was flying.
>
> Yeah ... but I *like* having the browser involved.
>
> --
> M. Edward (Ed) Borasky
> borasky-research.net/m-edward-ed-borasky
>
> "A mathematician is a device for turning coffee into theorems." ~ Paul Erdős
>
> --
> Subscription 
> settings:http://groups.google.com/group/twitter-development-talk/subscribe?hl=en

[twitter-dev] Mobile OAuth Summary

[twittme_mobi]

Hello,

I migrated my mobile web site to OAuth.
Now, I have a lot of users complaining that the OAuth page of twitter
is not
mobile friendly.Some of them are getting just a blank screen or just
cannot open it.

My honest question is - this is being discussed many times but where
are we with this?
Are all those users really suppose to get such a bad user experience?
Why would you need a javascript
on a login page?Is it so hard to create such page just for mobile
browsers?

Is anybody handling this - I mean it is an obvious problem that we
have for more than a year already.

Any comments on this are highly appreciated.

[twitter-dev] What is the best way to find all the replies to a tweet?

[Dushyant]

I can think of only one efficient way which is to use the status
mentions. Is there any other quicker way?

http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-statuses-mentions

[twitter-dev] Re: Accurately accessing favorites

[glenn gillen]

> tweet was favorites. So I can't just grab pages of favorites until I
> reach the date of the most recent favorite from the week before...
>
> Is there another way?

I was thinking of something like the following to get around it:

* retrieve user's latest `favourites_count` from users/lookup
* while favourites_count != the count you have stored || reached end
of favorites
** iterate over the favorited posts and store

But you've still got the issue of dealing with people unfavoriting
posts which will screw the whole thing up. Sounds like the only way to
make work is to iterate over the whole set and store what you're
missing, or beg and plead for the API team to store a favorited_at
datetime that you can order by.
--
Glenn
http://glenngillen.com/