I'm trying to add (what I thought would be) a simple feature to a game
I developed - allow the users to post their scores to twitter. Since
my app is a game for the webOS platform, I felt xauth was the best way
to implement this. I already got xauth approval from Twitter. I also
have been able to request access tokens without any trouble.

However, when it comes down to using the oauth token and oauth secret,
I am totally 100% stuck.
I've spent a few days on this, and I've tried changing small things,
changing it back, it's driving me crazy, and no matter what I do I
always get this response:

failed to post to twitter: {"request":"\/1\/statuses\/
update.json","error":"Incorrect signature"}

Here is my code for constructing the and signing base string:
 var updateUrl = "http://api.twitter.com/1/statuses/update.json";;
 var timestamp = Math.floor( (new Date(dt.toUTCString() )).getTime()/
 var update_data=
                  'oauth_consumer_key=' +
encodeURIComponent(constants.consumerKey) +
                   '&oauth_nonce=' + encodeURIComponent(nonce) +
                   '&oauth_signature_method=HMAC-SHA1' +
                   '&oauth_timestamp=' + timestamp +
                    '&oauth_token='+encodeURIComponent(o_auth_token) +
                    '&oauth_version=1.0' +
             var base_string = "POST&" + encodeURIComponent(updateUrl)
+ "&" + encodeURIComponent(update_data);
             var oauth_signature =

o_auth_token and o_auth_secret are set prior to this block of code by
parsing the response from the access token url call.

And here is my code for building the authorization header:
var auth_header = 'OAuth
realm="",oauth_consumer_key="'+constants.consumerKey +
SHA1",oauth_timestamp="'+ timestamp +

I've checked that my signature message matches when plugging in
applicable values using this tool:

So it is NOT an issue with signing...

And here is an output base string I get before signing:

and here is the authorization header i sent:

Some things I'm not sure of:
1. Is that first "realm="" " thing needed in the auth header?
2. If I generate unix time using the local time zone, will that cause
an incorrect signature since it would be say pacific time not UTC
time? (seems to work ok to get the the access tokens though...)
3. Are spaces correct after each comma in the auth header, or not, or
does it matter?
4. Does the order matter in the auth header?

Thanks a lot for all the help, I'm beat and giving up on this for the

Twitter developer documentation and resources: http://dev.twitter.com/doc
API updates via Twitter: http://twitter.com/twitterapi
Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list
Change your membership to this group: 

Reply via email to