I have an ongoing problem with "401 Unauthorized" errors calling access_token after the user has successfully authorized the app. It happens on a small percentage of calls, but frequently enough (usually several times per day) to be quite annoying and leads to user complaints.
I've provided the full transaction chain for one of the failed authorizations below, eliding identifying values. You can see from the timestamps in the response headers that entire chain was completed it a reasonable amount of time. I notice a 14 second difference between the Date and Client-Date headers. I've verified that our server clock is accurate with NTP. Also note that the final 401 response has no explanation in the body (Content-Length: 1). Whenever I'm able to force a 401 response (e.g., by calling access_token with already used request tokens) I get some failure explanation in the response body. Is this a problem on my end or does this indicate a problem on Twitter's end? Is there anything else I can provide to help diagnose this problem? -Marc ### request_token request ### GET https://api.twitter.com/oauth/request_token Authorization: OAuth oauth_callback="http%3A%2F%2F<elided>",oauth_consumer_key="<elided>",oauth_nonce="i%2FfgTr7omYPt4AAWfD4Bby35UlQ",oauth_signature="48U6n6FRtFYx1iKqtmE36ZMTvdw%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1293104523",oauth_version="1.0" User-Agent: Net::Twitter/3.14002 (Perl) X-Twitter-Client: Perl Net::Twitter X-Twitter-Client-URL: http://search.cpan.org/dist/Net-Twitter/ X-Twitter-Client-Version: 3.14002 ### request_token response ### HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Connection: close Date: Thu, 23 Dec 2010 11:42:18 GMT Pragma: no-cache ETag: "9a7fe06568d1d60ff0edf37ea73d3517" Server: hi Vary: Accept-Encoding Content-Length: 145 Content-Type: text/html; charset=utf-8 Expires: Tue, 31 Mar 1981 05:00:00 GMT Last-Modified: Thu, 23 Dec 2010 11:42:18 GMT Client-Date: Thu, 23 Dec 2010 11:42:04 GMT Client-Peer: 128.242.245.253:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Client-SSL-Cert-Subject: /serialNumber=Zys2dJJ09EPoEVGXYtegIdxG3OZtEOib/C=US/O=*.twitter.com/OU=GT57932074/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.twitter.com Client-SSL-Cipher: DHE-RSA-AES256-SHA Client-SSL-Warning: Peer certificate not verified Set-Cookie: k=67.225.143.68.1293104538943773; path=/; expires=Thu, 30-Dec-10 11:42:18 GMT; domain=.twitter.com Set-Cookie: guest_id=129310453895441949; path=/; expires=Sat, 22 Jan 2011 11:42:18 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCExlCRMtAToHaWQiJWJjODZjZmI5Mjc2ZTI1%250AY2ZhZWQ0YTQ2YjA5YTRlODZlIgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--e77d2ea105e6097a1a23f2d3ab34e11f6581b161; domain=.twitter.com; path=/ Status: 200 OK X-Revision: DEV X-Runtime: 0.02151 X-Transaction: 1293104538-2524-9007 oauth_token=3G61MtFOzOwUCzFCZ0i7qlBLCNg3GeSBq6JomuChg&oauth_token_secret=mgKM5MRmz5tcJwfDsJMASQ4kuSgDIFTuHc83uNmCAY&oauth_callback_confirmed=true ### redirect user to Twitter ### https://api.twitter.com/oauth/authorize?oauth_token=3G61MtFOzOwUCzFCZ0i7qlBLCNg3GeSBq6JomuChg ### user returned to OAuth callback ### 'oauth_token' => '3G61MtFOzOwUCzFCZ0i7qlBLCNg3GeSBq6JomuChg', 'oauth_verifier' => 'kZRqjesOVETmL9Sf7k3NnGRItnKXFm525UN8D6GG7DE' ### access_token request ### GET https://api.twitter.com/oauth/access_token Authorization: OAuth oauth_consumer_key="<elided>",oauth_nonce="JhQ00FmtBqcq6wo%2Be%2F60vD%2F8G28",oauth_signature="qb1M%2F9xFvViKpoX8q%2BU%2Bl%2B2UTog%3D",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1293104564",oauth_token="3G61MtFOzOwUCzFCZ0i7qlBLCNg3GeSBq6JomuChg",oauth_verifier="kZRqjesOVETmL9Sf7k3NnGRItnKXFm525UN8D6GG7DE",oauth_version="1.0" User-Agent: Net::Twitter/3.14002 (Perl) X-Twitter-Client: Perl Net::Twitter X-Twitter-Client-URL: http://search.cpan.org/dist/Net-Twitter/ X-Twitter-Client-Version: 3.14002 ### access_token response ### HTTP/1.1 401 Unauthorized Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0 Connection: close Date: Thu, 23 Dec 2010 11:42:59 GMT Pragma: no-cache Server: hi Vary: Accept-Encoding Content-Length: 1 Content-Type: text/html; charset=utf-8 Expires: Tue, 31 Mar 1981 05:00:00 GMT Last-Modified: Thu, 23 Dec 2010 11:42:59 GMT Client-Date: Thu, 23 Dec 2010 11:42:44 GMT Client-Peer: 128.242.245.221:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority Client-SSL-Cert-Subject: /serialNumber=Zys2dJJ09EPoEVGXYtegIdxG3OZtEOib/C=US/O=*.twitter.com/OU=GT57932074/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.twitter.com Client-SSL-Cipher: DHE-RSA-AES256-SHA Client-SSL-Warning: Peer certificate not verified Set-Cookie: k=67.225.143.17.1293104579798347; path=/; expires=Thu, 30-Dec-10 11:42:59 GMT; domain=.twitter.com Set-Cookie: guest_id=12931045798095818; path=/; expires=Sat, 22 Jan 2011 11:42:59 GMT Set-Cookie: _twitter_sess=BAh7CDoPY3JlYXRlZF9hdGwrCOMEChMtAToHaWQiJWUxM2Y2NDJmZTEyN2Zi%250AMzg2YzYwMmU5YTMzZDVhZGU1IgpmbGFzaElDOidBY3Rpb25Db250cm9sbGVy%250AOjpGbGFzaDo6Rmxhc2hIYXNoewAGOgpAdXNlZHsA--36b451a851e6404056943292a2fab12dd899903e; domain=.twitter.com; path=/ Status: 401 Unauthorized X-Revision: DEV X-Runtime: 0.01195 X-Transaction: 1293104579-11568-25044 ### end ### -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk