Hi Miguel, Your signature base string is off by just a little bit here -- you're globbing the query parameter "count" on to the original URL when it should be separated out.. the query string part of the URL should be represented only as key/value pairs, sorted with the other OAuth parameters. Your sorting here is correct, it's just that you're including the encoded "?" mark here. Had this been a parameter that would have started with a "p", for example, you'd have that parameter following the oauth_* parameters.
Here's an example of a signature base string with this encoded correctly (though using different keys): GET&http%3A%2F%2Fapi.twitter.com %2F1%2Fstatuses%2Fhome_timeline.json&count%3D200%26oauth_consumer_key%3Dri8JxYK2ddwSV5xIUfNNvQ%26oauth_nonce%3DcafnvEsPqnuVgXbqDqaw1X2SFvTSd9wYjpF5ZtHruFM%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1274462075%26oauth_token%3D819797-torCkTs0XK7H2Y2i1ee5iofqkMC4p7aayeEXRTmlw%26oauth_version%3D1.0 Hope this helps! Taylor Singletary Developer Advocate, Twitter http://twitter.com/episod On Fri, May 21, 2010 at 9:59 AM, Miguel de Icaza <miguel.de.ic...@gmail.com>wrote: > Hello folks, > > I have my client speaking OAuth to twitter for the entire initial > dance up to getting my access token. > > But once I try using the access token to call: > http://api.twitter.com/1/statuses/mentions.json?count=200 > > All I get from twitter is a 401 with the following body: > > {"request":"/1/statuses/mentions.json?count=200","error":"Incorrect > signature"} > > I followed the steps described here:http://dev.twitter.com/pages/ > auth and just assumed that since there is no content, the value for > computing the signature is not needed. > > GET&http%3A%2F%2Fapi.twitter.com%2F1%2Fstatuses%2Fhome_timeline.json > %3Fcount%3D200&oauth_consumer_key%3D***********%26oauth_nonce > %3Dcbj41uc3y0d0lju8%26oauth_signature_method%3DHMAC- > SHA1%26oauth_timestamp%3D1274460844%26oauth_token%3D********** > %26oauth_version%3D1.0 > > My composite signature is made of my consumer secret (from the twitter > app page) and the oauth_token_secret returned by the acquire access > token process > > This is what ends up in the HTTP traffic, when I append the > oauth_signature: > GET /1/statuses/home_timeline.json?count=200 HTTP/1.1 > authorization: OAuth > > oauth_consumer_key="******",oauth_nonce="r3cy0enwrqeq1qns",oauth_signature_method="HMAC- > SHA1",oauth_timestamp="1274461098",oauth_token="823083- > *******",oauth_version="1.0",oauth_signature="dGhefwoSaiSQ0XMSswJ1UdPtkeI > %3D" > Connection: keep-alive > Host: api.twitter.com > > > Any ideas on what I am doing wrong? > >