I'm posting this because I couldn't find it anywhere, and I'm sure it has come up in the past.
When URL encoding, use only uppercase characters for the URL codes. Granted, depending on your scripting language and how you're assembling the signature base string, this won't be an issue. However, in my case, I had '%3d' instead of '%3D' in one location. Per RFC3986, this is not a meaningful difference.* In fact, my signature base string passed the base string tester at http://quonos.nl/oauthTester with the lowercase 'd'. The problem is that the OAuth validator seems to work by constructing a copy of the base signature off of the authorization header, requested URL, and HTTP method (excluding the 'oauth_signature' name/ value pair in the authorization header). It then performs an HMAC-SHA1 hash on the base signature string it has constructed from those values and compares it with the submitted signature. When the validator constructs its own base signature string it uses all uppercase characters in the URL escape codes, and that will create a different signature than one derived from mixed case escape codes. Anyway, I hope this helps someone. I sure could've used it about half a day ago. *http://tools.ietf.org/html/rfc3986#section-2.1 -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk