Re: [twitter-dev] 401 Unauthorized errors with Progress Open Edge using xAuth to get Access token
Hi Taylor, Now I have the Access Token and I use the explanations in http://dev.twitter.com/pages/auth to make a request on users behalf, I get a response from twitter: Twitter Response= {"errors":[{"code":53,"message":"Basic authentication is not supported"}]} Status= 401 StatusTxt= Unauthorized I am using the same procedure just changing the paramaters to follow the example in http://dev.twitter.com/pages/auth and signing the request with oauth_consumer_secret + "&" + oauth_token_secret tied to my access token... Posting to: http://api.twitter.com/1/statuses/update.json Authorization header parameters: OAuth oauth_consumer_key="1q0ZoaBf3fKFP1hSmhVNQ", oauth_nonce="M2XTcq44gwlMHw9VbP98FQkB7TRSc1iIX0IOiAA500B", oauth_signature="f6Xz1tSwO8FCvkIJu4mgXYfNvUM%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1288703533", oauth_token="46989789-6NoccKZ1NVN3wdtlRGyhQrUG3b9RcU9Tkn372uIg3", oauth_version="1.0", status="PostingthroughMicrosoftXMLHTTP" Any suggestions ? Martin Hannah wrote: > Hi Taylor, > > Success, the missing peice of the puzzle was that we needed to send > the post Body, which although it was explained in documentation, we > thought it was there for explanation of how the values are accumulated > for the base string.. seems obvious now, but when your trying to do > this for 1st time, it wasnt obvious then. > > So the find part of the send is: > objHTTP:send("x_auth_username=oauth_test_exec&x_auth_password=twitter- > xauth&x_auth_mode=client_auth"). > > So my last question is, should this be url encoded, because when we > URL encoded (as the doco suggests) it did NOT work. > > Martin Hannah wrote: > > Hi Taylor, > > In order to test your 1st suggestion "do you know if your HTTP > > transport method munges any HTTP headers or adds its own HTTP headers > > in any way?" we created a simple test procedure on our public web > > server, to simulate the google end point > > https://api.twitter.com/oauth/access_token. > > So with our test program pointing to another end point we could > > capture the values that googles end point might receive. > > The values received by our web service end point (simulator) (along > > with other CGI values) are: > > > > HTTP_AUTHORIZATION= OAuth oauth_consumer_key="TY0Js5vMc04HNqmqIkNEnQ", > > oauth_nonce="jGmEee2Jc0DaEK516jl6g2FSHgOgmNPqlpK43UJYXZF", > > oauth_signature="%2Bd2K%2FxydAtBaSETDWwXCo4LN1Js%3D", > > oauth_signature_method="HMAC-SHA1", oauth_timestamp="1288666484", > > oauth_version="1.0" > > REQUEST_METHOD=POST > > > > So I presume this is indicating the post request is not munged/altered > > in any way by the Microsoft XMLHTTP OCX when it sends the request > > using: > > > > Create "Microsoft.XMLHTTP" objHTTP . > > > > objHTTP:open("POST",api-atokin, false, p-username, p-password). > > > > objHTTP:setRequestHeader('Authorization', v-params). > > > > objHTTP:SetRequestHeader("Content-Type","application/x-www-form- > > > > urlencoded"). > > > > objHTTP:send(). > > > > Note: The syntax of the Progress code (above) that uses objHTTP is > > very similiar to Visual basic. In fact we used the syntax for > > objHTTP:open and setRequestHeader("Authorization" that you see above, > > in the same way as it is used in the googe examples in > > http://oauth.googlecode.com/svn/code/javascript/example/AJAX.html > > (open this Google example page and view HTML source from lines 32 to > > 53..) > > > > We are checking the 2nd and 3rd suggestions now... and hope to have > > further test results posted in next few hours.. > > > > Taylor Singletary wrote: > > > Hi Martin, > > > > > > Thanks for your patience in working through xAuth with the issues you're > > > facing. Given the information you've provided, it's difficult to determine > > > exactly what might be amiss here. > > > > > > I'm unfamiliar with the programming environment you are using -- do you > > > know > > > if your HTTP transport method munges any HTTP headers or adds its own HTTP > > > headers in any way? If you utilize an access token obtained through other > > > means (such as by the procedure outlined in http://bit.ly/1token ) are you > > > able to get any other kind of OAuth-based requests functional with your > > > OAuth library? > > > > > > You mentioned that you successfully recreated the examples at > > > http://dev.twitter.com/pages/xauth -- acknowledging that those values > > > would > > > also return a 401 from our API but provide a "safe" login & password you > > > can > > > share on a public forum, is there any way you can perform an HTTP capture > > > of > > > the entire request cycle using those static values? This would allow us to > > > see the entire HTTP request, including headers sent/received, the raw POST > > > body, etc -- which may yield an obvious answer as to why your > > > implementation > > > is not working. > > > > > > Hang in there! > > > Taylor > > > > > > > > > On Tue, Oct 26, 2010 at 3:20 PM, Martin Hannah > > > wrote: > > > > > > > We had an application s
Re: [twitter-dev] 401 Unauthorized errors with Progress Open Edge using xAuth to get Access token
Hi Taylor, Success, the missing peice of the puzzle was that we needed to send the post Body, which although it was explained in documentation, we thought it was there for explanation of how the values are accumulated for the base string.. seems obvious now, but when your trying to do this for 1st time, it wasnt obvious then. So the find part of the send is: objHTTP:send("x_auth_username=oauth_test_exec&x_auth_password=twitter- xauth&x_auth_mode=client_auth"). So my last question is, should this be url encoded, because when we URL encoded (as the doco suggests) it did NOT work. Martin Hannah wrote: > Hi Taylor, > In order to test your 1st suggestion "do you know if your HTTP > transport method munges any HTTP headers or adds its own HTTP headers > in any way?" we created a simple test procedure on our public web > server, to simulate the google end point > https://api.twitter.com/oauth/access_token. > So with our test program pointing to another end point we could > capture the values that googles end point might receive. > The values received by our web service end point (simulator) (along > with other CGI values) are: > > HTTP_AUTHORIZATION= OAuth oauth_consumer_key="TY0Js5vMc04HNqmqIkNEnQ", > oauth_nonce="jGmEee2Jc0DaEK516jl6g2FSHgOgmNPqlpK43UJYXZF", > oauth_signature="%2Bd2K%2FxydAtBaSETDWwXCo4LN1Js%3D", > oauth_signature_method="HMAC-SHA1", oauth_timestamp="1288666484", > oauth_version="1.0" > REQUEST_METHOD=POST > > So I presume this is indicating the post request is not munged/altered > in any way by the Microsoft XMLHTTP OCX when it sends the request > using: > > > Create "Microsoft.XMLHTTP" objHTTP . > > > objHTTP:open("POST",api-atokin, false, p-username, p-password). > > > objHTTP:setRequestHeader('Authorization', v-params). > > > objHTTP:SetRequestHeader("Content-Type","application/x-www-form- > > > urlencoded"). > > > objHTTP:send(). > > Note: The syntax of the Progress code (above) that uses objHTTP is > very similiar to Visual basic. In fact we used the syntax for > objHTTP:open and setRequestHeader("Authorization" that you see above, > in the same way as it is used in the googe examples in > http://oauth.googlecode.com/svn/code/javascript/example/AJAX.html > (open this Google example page and view HTML source from lines 32 to > 53..) > > We are checking the 2nd and 3rd suggestions now... and hope to have > further test results posted in next few hours.. > > Taylor Singletary wrote: > > Hi Martin, > > > > Thanks for your patience in working through xAuth with the issues you're > > facing. Given the information you've provided, it's difficult to determine > > exactly what might be amiss here. > > > > I'm unfamiliar with the programming environment you are using -- do you know > > if your HTTP transport method munges any HTTP headers or adds its own HTTP > > headers in any way? If you utilize an access token obtained through other > > means (such as by the procedure outlined in http://bit.ly/1token ) are you > > able to get any other kind of OAuth-based requests functional with your > > OAuth library? > > > > You mentioned that you successfully recreated the examples at > > http://dev.twitter.com/pages/xauth -- acknowledging that those values would > > also return a 401 from our API but provide a "safe" login & password you can > > share on a public forum, is there any way you can perform an HTTP capture of > > the entire request cycle using those static values? This would allow us to > > see the entire HTTP request, including headers sent/received, the raw POST > > body, etc -- which may yield an obvious answer as to why your implementation > > is not working. > > > > Hang in there! > > Taylor > > > > > > On Tue, Oct 26, 2010 at 3:20 PM, Martin Hannah > > wrote: > > > > > We had an application successfully talking to twitter for a few years > > > prior to oAuth, and now converting this application to xAuth and cant > > > get past the first step. > > > > > > The application gets a 401 "Unauthorized" response when attempting to > > > get the access token. > > > > > > Have confirmed our program when provided with the same consumer_key > > > and Secret key as on twitter documentation page > > > http://dev.twitter.com/pages/xauth > > > produces exactly the same Singature, parameters, base string as on > > > http://dev.twitter.com/pages/xauth doco page. (i.e. have done detailed > > > string comparisons of output at each step to the twitter documentation > > > http://dev.twitter.com/pages/xauth by placing the twitter values in a > > > string variable and comparing to the values produced by our program, > > > so confident these are the same) . > > > > > > Using our consumer and secret keys in the test site > > > > > > http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests > > > and compared the base string and signature results to our program and > > > again they are exactly the same. > > > > > > Have checked the time stamp is producing correct time (based on enoch > >
Re: [twitter-dev] 401 Unauthorized errors with Progress Open Edge using xAuth to get Access token
Hi Taylor, In releatio to the 2nd test, I have used the values from http://dev.twitter.com/pages/xauth and inserted these into my program to step through the process. Base string: POST&https%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_token&oauth_consumer_key%3DJvyS7DO2qd6NNTsXJ4E7zA %26oauth_nonce%3D6AN2dKRzxyGhmIXUKSmp1JcB4pckM8rD3frKMTmVAo %26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp %3D1284565601%26oauth_version%3D1.0%26x_auth_mode%3Dclient_auth %26x_auth_password%3Dtwitter-xauth%26x_auth_username%3Doauth_test_exec Secret key used in generation of signature: 9z6157pUbOBqtbm0A0q4r29Y2EYzIHlUwbF4Cl9c& oauth_signature generated: 1L1oXQmawZAkQ47FHLwcOV%2Bkjwc%3D Authorization string sent in Authorization Header v-params = OAuth oauth_nonce="6AN2dKRzxyGhmIXUKSmp1JcB4pckM8rD3frKMTmVAo", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1284565601", oauth_consumer_key="JvyS7DO2qd6NNTsXJ4E7zA", oauth_signature="1L1oXQmawZAkQ47FHLwcOV%2Bkjwc%3D", oauth_version="1.0" This is then sent to Twitter via: Create "Microsoft.XMLHTTP" objHTTP. objHTTP:open("POST",'https://api.twitter.com/oauth/access_token', false, p-username, p-password). objHTTP:setRequestHeader('Authorization', v-params). objHTTP:SetRequestHeader("Content-Type","application/x-www-form- urlencoded"). objHTTP:send(). Questions: In relation to the Authorization string sent in Authorization Header which is as follows: v-params = OAuth oauth_nonce="6AN2dKRzxyGhmIXUKSmp1JcB4pckM8rD3frKMTmVAo", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1284565601", oauth_consumer_key="JvyS7DO2qd6NNTsXJ4E7zA", oauth_signature="1L1oXQmawZAkQ47FHLwcOV%2Bkjwc%3D", oauth_version="1.0" 1. Does the name/value pairs in the string need to be in any particular order a) i.e. the name/value pairs must be in decending order for encoding as a signature, but in the documentation in http://dev.twitter.com/pages/xauth the name/value pairs sent in Authorization header are in a different order. I understand they are in decending order for signature, does the order matter for the Authorization header? b) Should the authorization header name/value pairs be URL encoded ..? 2. All the documentation sugests that the nonce is a random number and we borrowed and adapted some code to generate this number each time.. Please confirm that this is correct. We are now performing another test based on your suggestions and results of todays investigations/tests and will post results as soon as complete. Taylor Singletary wrote: > Hi Martin, > > Thanks for your patience in working through xAuth with the issues you're > facing. Given the information you've provided, it's difficult to determine > exactly what might be amiss here. > > I'm unfamiliar with the programming environment you are using -- do you know > if your HTTP transport method munges any HTTP headers or adds its own HTTP > headers in any way? If you utilize an access token obtained through other > means (such as by the procedure outlined in http://bit.ly/1token ) are you > able to get any other kind of OAuth-based requests functional with your > OAuth library? > > You mentioned that you successfully recreated the examples at > http://dev.twitter.com/pages/xauth -- acknowledging that those values would > also return a 401 from our API but provide a "safe" login & password you can > share on a public forum, is there any way you can perform an HTTP capture of > the entire request cycle using those static values? This would allow us to > see the entire HTTP request, including headers sent/received, the raw POST > body, etc -- which may yield an obvious answer as to why your implementation > is not working. > > Hang in there! > Taylor > > > On Tue, Oct 26, 2010 at 3:20 PM, Martin Hannah wrote: > > > We had an application successfully talking to twitter for a few years > > prior to oAuth, and now converting this application to xAuth and cant > > get past the first step. > > > > The application gets a 401 "Unauthorized" response when attempting to > > get the access token. > > > > Have confirmed our program when provided with the same consumer_key > > and Secret key as on twitter documentation page > > http://dev.twitter.com/pages/xauth > > produces exactly the same Singature, parameters, base string as on > > http://dev.twitter.com/pages/xauth doco page. (i.e. have done detailed > > string comparisons of output at each step to the twitter documentation > > http://dev.twitter.com/pages/xauth by placing the twitter values in a > > string variable and comparing to the values produced by our program, > > so confident these are the same) . > > > > Using our consumer and secret keys in the test site > > > > http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests > > and compared the base string and signature results to our program and > > again they are exactly the same. > > > > Have checked the time stamp is producing correct time (based on enoch > > time) by comparing against against http://unixti
Re: [twitter-dev] 401 Unauthorized errors with Progress Open Edge using xAuth to get Access token
Hi Taylor, In order to test your 1st suggestion "do you know if your HTTP transport method munges any HTTP headers or adds its own HTTP headers in any way?" we created a simple test procedure on our public web server, to simulate the google end point https://api.twitter.com/oauth/access_token. So with our test program pointing to another end point we could capture the values that googles end point might receive. The values received by our web service end point (simulator) (along with other CGI values) are: HTTP_AUTHORIZATION= OAuth oauth_consumer_key="TY0Js5vMc04HNqmqIkNEnQ", oauth_nonce="jGmEee2Jc0DaEK516jl6g2FSHgOgmNPqlpK43UJYXZF", oauth_signature="%2Bd2K%2FxydAtBaSETDWwXCo4LN1Js%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1288666484", oauth_version="1.0" REQUEST_METHOD=POST So I presume this is indicating the post request is not munged/altered in any way by the Microsoft XMLHTTP OCX when it sends the request using: > > Create "Microsoft.XMLHTTP" objHTTP . > > objHTTP:open("POST",api-atokin, false, p-username, p-password). > > objHTTP:setRequestHeader('Authorization', v-params). > > objHTTP:SetRequestHeader("Content-Type","application/x-www-form- > > urlencoded"). > > objHTTP:send(). Note: The syntax of the Progress code (above) that uses objHTTP is very similiar to Visual basic. In fact we used the syntax for objHTTP:open and setRequestHeader("Authorization" that you see above, in the same way as it is used in the googe examples in http://oauth.googlecode.com/svn/code/javascript/example/AJAX.html (open this Google example page and view HTML source from lines 32 to 53..) We are checking the 2nd and 3rd suggestions now... and hope to have further test results posted in next few hours.. Taylor Singletary wrote: > Hi Martin, > > Thanks for your patience in working through xAuth with the issues you're > facing. Given the information you've provided, it's difficult to determine > exactly what might be amiss here. > > I'm unfamiliar with the programming environment you are using -- do you know > if your HTTP transport method munges any HTTP headers or adds its own HTTP > headers in any way? If you utilize an access token obtained through other > means (such as by the procedure outlined in http://bit.ly/1token ) are you > able to get any other kind of OAuth-based requests functional with your > OAuth library? > > You mentioned that you successfully recreated the examples at > http://dev.twitter.com/pages/xauth -- acknowledging that those values would > also return a 401 from our API but provide a "safe" login & password you can > share on a public forum, is there any way you can perform an HTTP capture of > the entire request cycle using those static values? This would allow us to > see the entire HTTP request, including headers sent/received, the raw POST > body, etc -- which may yield an obvious answer as to why your implementation > is not working. > > Hang in there! > Taylor > > > On Tue, Oct 26, 2010 at 3:20 PM, Martin Hannah wrote: > > > We had an application successfully talking to twitter for a few years > > prior to oAuth, and now converting this application to xAuth and cant > > get past the first step. > > > > The application gets a 401 "Unauthorized" response when attempting to > > get the access token. > > > > Have confirmed our program when provided with the same consumer_key > > and Secret key as on twitter documentation page > > http://dev.twitter.com/pages/xauth > > produces exactly the same Singature, parameters, base string as on > > http://dev.twitter.com/pages/xauth doco page. (i.e. have done detailed > > string comparisons of output at each step to the twitter documentation > > http://dev.twitter.com/pages/xauth by placing the twitter values in a > > string variable and comparing to the values produced by our program, > > so confident these are the same) . > > > > Using our consumer and secret keys in the test site > > > > http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests > > and compared the base string and signature results to our program and > > again they are exactly the same. > > > > Have checked the time stamp is producing correct time (based on enoch > > time) by comparing against against http://unixtimestamp.com/index.php > > > > Passing my consumer_secret with & at end into signature generator > > (which as I said above seems to be producing correct results because > > we used values in http://dev.twitter.com/pages/xauth and it generated > > the same oauth_signature value) > > > > Base string: > > POST&https%3A%2F%2Fapi.twitter.com%2Foauth > > %2Faccess_token&oauth_consumer_key%3D1q0ZoaBf3fKFP1hSmhVNQ > > %26oauth_nonce > > %3Duv3AtzLBjawzvasO3EPAU3bbR53NyHGlvLp33IRCzG8%26oauth_signature_method > > %3DHMAC-SHA1%26oauth_timestamp%3D1288131701%26oauth_version > > %3D1.0%26x_auth_mode%3Dclient_auth%26x_auth_password%3D > > %26x_auth_username%3D > > > > Authorization header parameters: > > OAuth oauth_nonce="uv3AtzLBjaw
Re: [twitter-dev] 401 Unauthorized errors with Progress Open Edge using xAuth to get Access token
Hi Martin, Thanks for your patience in working through xAuth with the issues you're facing. Given the information you've provided, it's difficult to determine exactly what might be amiss here. I'm unfamiliar with the programming environment you are using -- do you know if your HTTP transport method munges any HTTP headers or adds its own HTTP headers in any way? If you utilize an access token obtained through other means (such as by the procedure outlined in http://bit.ly/1token ) are you able to get any other kind of OAuth-based requests functional with your OAuth library? You mentioned that you successfully recreated the examples at http://dev.twitter.com/pages/xauth -- acknowledging that those values would also return a 401 from our API but provide a "safe" login & password you can share on a public forum, is there any way you can perform an HTTP capture of the entire request cycle using those static values? This would allow us to see the entire HTTP request, including headers sent/received, the raw POST body, etc -- which may yield an obvious answer as to why your implementation is not working. Hang in there! Taylor On Tue, Oct 26, 2010 at 3:20 PM, Martin Hannah wrote: > We had an application successfully talking to twitter for a few years > prior to oAuth, and now converting this application to xAuth and cant > get past the first step. > > The application gets a 401 "Unauthorized" response when attempting to > get the access token. > > Have confirmed our program when provided with the same consumer_key > and Secret key as on twitter documentation page > http://dev.twitter.com/pages/xauth > produces exactly the same Singature, parameters, base string as on > http://dev.twitter.com/pages/xauth doco page. (i.e. have done detailed > string comparisons of output at each step to the twitter documentation > http://dev.twitter.com/pages/xauth by placing the twitter values in a > string variable and comparing to the values produced by our program, > so confident these are the same) . > > Using our consumer and secret keys in the test site > > http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests > and compared the base string and signature results to our program and > again they are exactly the same. > > Have checked the time stamp is producing correct time (based on enoch > time) by comparing against against http://unixtimestamp.com/index.php > > Passing my consumer_secret with & at end into signature generator > (which as I said above seems to be producing correct results because > we used values in http://dev.twitter.com/pages/xauth and it generated > the same oauth_signature value) > > Base string: > POST&https%3A%2F%2Fapi.twitter.com%2Foauth > %2Faccess_token&oauth_consumer_key%3D1q0ZoaBf3fKFP1hSmhVNQ > %26oauth_nonce > %3Duv3AtzLBjawzvasO3EPAU3bbR53NyHGlvLp33IRCzG8%26oauth_signature_method > %3DHMAC-SHA1%26oauth_timestamp%3D1288131701%26oauth_version > %3D1.0%26x_auth_mode%3Dclient_auth%26x_auth_password%3D > %26x_auth_username%3D > > Authorization header parameters: > OAuth oauth_nonce="uv3AtzLBjawzvasO3EPAU3bbR53NyHGlvLp33IRCzG8", > oauth_signature_method="HMAC-SHA1", oauth_timestamp="1288131701", > oauth_consumer_key="1q0ZoaBf3fKFP1hSmhVNQ", > oauth_signature="VQYSXdvrEtlvugqUpTXbCjYTNa0%3D", oauth_version="1.0" > > Twitter response: > Status= 401 > StatusTxt= Unauthorized > Headers= Date: Tue, 26 Oct 2010 21:22:01 GMT > Server: hi > Status: 401 Unauthorized > X-Transaction: 1288128121-92836-33309 > Last-Modified: Tue, 26 Oct 2010 21:22:01 GMT > X-Runtime: 0.00473 > Content-Type: text/html; charset=utf-8 > Pragma: no-cache > X-Revision: DEV > Expires: Tue, 31 Mar 1981 05:00:00 GMT > Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- > check=0 > Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCMdIa > %252BorASIKZmxhc2hJQzonQWN0aW9uQ29u > %250AdHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoHaWQiJWJl > %250AYzdlZGEzMDAwYmMwOWJhMTEwMzIyYjE1MTc5YzAw-- > f24fc1f95d728598870821f98152985632dbcc66; domain=.twitter.com; path=/ > Connection: close > > The actual Send procedure is: (tried procedure using both both blank > and valid p-username and p-password) > define var objHTTP as com-handle. > Create "Microsoft.XMLHTTP" objHTTP . > objHTTP:open("POST",api-atokin, false, p-username, p-password). > objHTTP:setRequestHeader('Authorization', v-params). > objHTTP:SetRequestHeader("Content-Type","application/x-www-form- > urlencoded"). > objHTTP:send(). > > v-response = 'Response= ' + objHTTP:responseText + chr(10) > + 'Status= '+ objHTTP:status + chr(10) > + 'StatusTxt= ' + objHTTP:statusText + chr(10) > + 'Headers= ' + objHTTP:getAllResponseHeaders() + > chr(10) . > > I have emailed api.twitter.com and asked for them to check that I have > xAuth enabled and they responded: > "I can confirm that your application, client ID xxx, has xAuth > access and I just refreshed its permissions
[twitter-dev] 401 Unauthorized errors with Progress Open Edge using xAuth to get Access token
We had an application successfully talking to twitter for a few years prior to oAuth, and now converting this application to xAuth and cant get past the first step. The application gets a 401 "Unauthorized" response when attempting to get the access token. Have confirmed our program when provided with the same consumer_key and Secret key as on twitter documentation page http://dev.twitter.com/pages/xauth produces exactly the same Singature, parameters, base string as on http://dev.twitter.com/pages/xauth doco page. (i.e. have done detailed string comparisons of output at each step to the twitter documentation http://dev.twitter.com/pages/xauth by placing the twitter values in a string variable and comparing to the values produced by our program, so confident these are the same) . Using our consumer and secret keys in the test site http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests and compared the base string and signature results to our program and again they are exactly the same. Have checked the time stamp is producing correct time (based on enoch time) by comparing against against http://unixtimestamp.com/index.php Passing my consumer_secret with & at end into signature generator (which as I said above seems to be producing correct results because we used values in http://dev.twitter.com/pages/xauth and it generated the same oauth_signature value) Base string: POST&https%3A%2F%2Fapi.twitter.com%2Foauth %2Faccess_token&oauth_consumer_key%3D1q0ZoaBf3fKFP1hSmhVNQ %26oauth_nonce %3Duv3AtzLBjawzvasO3EPAU3bbR53NyHGlvLp33IRCzG8%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp%3D1288131701%26oauth_version %3D1.0%26x_auth_mode%3Dclient_auth%26x_auth_password%3D %26x_auth_username%3D Authorization header parameters: OAuth oauth_nonce="uv3AtzLBjawzvasO3EPAU3bbR53NyHGlvLp33IRCzG8", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1288131701", oauth_consumer_key="1q0ZoaBf3fKFP1hSmhVNQ", oauth_signature="VQYSXdvrEtlvugqUpTXbCjYTNa0%3D", oauth_version="1.0" Twitter response: Status= 401 StatusTxt= Unauthorized Headers= Date: Tue, 26 Oct 2010 21:22:01 GMT Server: hi Status: 401 Unauthorized X-Transaction: 1288128121-92836-33309 Last-Modified: Tue, 26 Oct 2010 21:22:01 GMT X-Runtime: 0.00473 Content-Type: text/html; charset=utf-8 Pragma: no-cache X-Revision: DEV Expires: Tue, 31 Mar 1981 05:00:00 GMT Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCMdIa %252BorASIKZmxhc2hJQzonQWN0aW9uQ29u %250AdHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoHaWQiJWJl %250AYzdlZGEzMDAwYmMwOWJhMTEwMzIyYjE1MTc5YzAw-- f24fc1f95d728598870821f98152985632dbcc66; domain=.twitter.com; path=/ Connection: close The actual Send procedure is: (tried procedure using both both blank and valid p-username and p-password) define var objHTTP as com-handle. Create "Microsoft.XMLHTTP" objHTTP . objHTTP:open("POST",api-atokin, false, p-username, p-password). objHTTP:setRequestHeader('Authorization', v-params). objHTTP:SetRequestHeader("Content-Type","application/x-www-form- urlencoded"). objHTTP:send(). v-response = 'Response= ' + objHTTP:responseText + chr(10) + 'Status= '+ objHTTP:status + chr(10) + 'StatusTxt= ' + objHTTP:statusText + chr(10) + 'Headers= ' + objHTTP:getAllResponseHeaders() + chr(10) . I have emailed api.twitter.com and asked for them to check that I have xAuth enabled and they responded: "I can confirm that your application, client ID xxx, has xAuth access and I just refreshed its permissions and consumer keys for good measure. If you still get 401 errors when trying to use xAuth with these new keys, please post about it in our Developer Talk Group: http://groups.google.com/group/twitter-development-talk . Our developer advocates have been tracking some issues like these and will be happy to help you out there, as well as use any information you provide to debug any possible related issues on our side. I apologize for the inconvenience." I am stumped, and my team has been on this for 3 weeks -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk