Twitter API - Reasons for "invalid or expired token"

Ran picture Ran · Jul 14, 2013 · Viewed 41.4k times · Source

What are the possible reasons that can cause token to become expired (besides having the user un-authorising the app)?

My problem is that I have an app with several thousands of users, all API communication works perfectly but for some users I am getting the invalid or expired token error, my initial though was that they are users who canceled the authentication to the app but I've contacted some of them and they haven't revoked the access.

Any ideas what other issues can cause that error?

Answer

My God picture My God · Aug 1, 2013

Check the integrity of an access token at any time by calling the GET account/verify_credentials while using that access token.

Its mentioned and by research I came to know that:

Your access token will be invalid if a user explicitly rejects your application from their settings or if a Twitter admin suspends your application. If your application is suspended there will be a note on your application page saying that it has been suspended.

Why is my twitter oauth access token invalid / expired ?

Check this post: invalid / expired access tokens.

There is one post in google groups that says:

You don't get a second chance, and this is by design. OAuth requests have a unique signature; once a particular request is submitted, it can't be submitted again. If they enter the pin correctly, all is well, you get an access token. If they enter the pin wrong, you get 401 Unauthorized - which is expected. But if they then try again to enter the pin, even the correct pin shows as unauthorized.

Check this link for the above reference.

Some suggestions by twitter employee for the same problem:

I guess there are two things I would suggest at this point: 1.) Go to your application settings and use the "Reset keys" tab to reset your consumer key and secret, then update those values in the app and verify that you still see the same behavior. 2.) Try passing oauth_callback in your request_token call. Honestly I don't think this will make a difference, but I want to try and be as rigorous as I can here.

Also check this discussion saying:

You need to use the oauth_token and oauth_token_secret returned from the oauth/access_token call instead of the one in your app's settings in dev.twitter.com