The interesting thing with my situation is that I'm still in development, so
there's only a single person (me) hitting the app. Further, I'm only
attempting a single call to Twitter.

Also, I get a 401 on everything that requires authentication, but not on
something like a rateLimitStatus check.

Further, a call to /followers/ids.xml *works* on my local dev box, but not
on the production server. The only difference I can think of would be IP

I've been able to trace 3 separate requests being generated by Twitter4J and
here are the values:

[Wed Aug 12 10:19:56 PDT 2009]

[Wed Aug 12 10:20:20 PDT 2009]

[Wed Aug 12 10:24:39 PDT 2009]

Each timestamp is larger than the last and each nonce is unique.

Knowing that my values are legit makes me think there's another problem, but
Twitter hasn't responded to my api@ email.

Rob O'Brien
Web Application Developer & Consultant
-----Original Message-----
[] On Behalf Of Zaudio
Sent: Tuesday, August 11, 2009 12:04 PM
To: Twitter Development Talk
Subject: [twitter-dev] Re: Invalid / used nonce

We're having the same issue in our app, occurs sporadically in our
logs - but I believe the cause with us is that:

We're generating nonce values as a timestamp seeded sequence of random
We're creating an instance of the Oauth class that does this for each
logged in user for the app

Thus, for a single timestamp, it IS possible that the time seeded
nonce values are the same....

So - corrrective action being trialled: I'm prefixing the 'random'
nonce value with the userID stripped from the start of the token,
padded to a fixed length of chars... this should guarantee then that
the nonce/timestamp combo is indeed unique for every request made from
our app ....


On Aug 11, 6:45 am, Dan Borthwick <> wrote:
> For our app, we successfully call request_token from our server. When
> we then call statuses/update from the client, we get a 401 'Invalid /
> usednonce' response. If the request_token call comes directly from
> the client, the update call succeeds.
> The nonces have been sanity checked and are definitely different for
> each call. GET requests to users/show succeed regardless of whether
> the request_token comes from the proxy server or client. Code is based
> on MGTwitterEngine-1.0.8-OAuth.
> The same code was working ok prior to the recent DoS downtime. Perhaps
> something has been changed on Twitter's side that might result in the
> 401 response?
> On Aug 11, 8:38 am, graceawalker <> wrote:
> > No, mynonceis definately new every time. Surely if there was
> > something wrong with the way it was being generated it would error
> > during requestToken/accessToken/VerifyCredentials too?? All the code
> > ive looked through is doing it exactly the same way. Is the 'status'
> > parameter being used just like all the oauth parameters? is an
> > 'invalidnonce' error, definately an invalidnonceor could it be to
> > do with the timestamp and timezones. Clutching at straws here...
> > On Aug 11, 3:12 am, Chris Babcock <> wrote:
> > > On Mon, 10 Aug 2009 04:14:43 -0700 (PDT)
> > > graceawalker <> wrote:
> > > > I am calling and getting the whole way up to getting the access
> > > > just fine in my app (one im writing myself in c#), but when i try
> > > > call the update status URL im getting an 'Invalid/usednonce' error
> > > > my response data. Im not sure why this is, im calling the update
> > > > method in the exact same way that i called request token apart from
> > > > the new 'status' parameter in the query string. I call 'verify
> > > > credentials' with my access token to ensure that it is working and
> > > > sends me back all of the correct data, but it is erroring when
> > > > to update my status. Is there any obvious solution to this, or am i
> > > > not supposed to be signing and organising the parameters in the same
> > > > way that i did before? Im really stuck here guys and need help!
> > > Right, thenonceis a "number used once". Its purpose is to prevent
> > > replay attacks. If you use the samenoncefor more than one call to the
> > > API then you *should* be getting an error.
> > > Chris- Hide quoted text -
> - Show quoted text -

Reply via email to