OAuth 1.0a Access Token Issue – "Invalid oauth_verifier parameter"

Need help APIs
1

Hi everyone,

I’m trying to integrate the X Ads API in my Bubble.io app and have been following the OAuth 1.0a authentication flow. However, I’m stuck at Step 3: POST /oauth/access_token, where I keep getting the error:

Error processing your OAuth request: Invalid oauth_verifier parameter

What I’ve Done So Far:

:one: Requested a Request Token (oauth_token) from /oauth/request_token:white_check_mark: Successfully received oauth_token and oauth_token_secret.
:two: Redirected the user to /oauth/authorize:white_check_mark: User sees the login screen and grants access.
:three: Received oauth_verifier in the callback URL:white_check_mark: The callback contains oauth_token=XYZ123&oauth_verifier=ABC456.
:four: Exchanging for Access Token (oauth/access_token):x: Error: “Invalid oauth_verifier parameter”.

How I’m Sending the Request in Postman:

  • POST request to:
    https://api.twitter.com/oauth/access_token?oauth_token=XYZ123&oauth_verifier=ABC456
  • Authorization (OAuth 1.0) in Postman:
    • Consumer Key :white_check_mark:
    • Consumer Secret :white_check_mark:
    • Access Token :white_check_mark: (Same oauth_token from Step 1)
    • Token Secret :white_check_mark: (Same oauth_token_secret from Step 1)
    • Signature Method: HMAC-SHA1 :white_check_mark:
    • “Add params to header” :white_check_mark:

What I Have Tried:

:arrows_counterclockwise: Regenerating a fresh oauth_token and oauth_verifier – Still getting the same issue.
:no_entry_sign: Checking if oauth_verifier is in the request body – It’s being sent in the query parameters as per X API documentation.
:mag: Ensuring the oauth_token used in this step is the same one from /oauth/request_token – Double-checked.
:hourglass_flowing_sand: Confirming the oauth_token hasn’t expired – Immediately used after generation.

Questions:

:one: Why am I getting “Invalid oauth_verifier parameter”, even when using the correct oauth_verifier from the callback?
:two: Should the request be sent with query parameters or the request body?
:three: Is there something missing in how I’m signing the request?

Any help would be greatly appreciated! :pray:

2

I don’t believe Bubble supports OAuth 1.0a through the API connector

Have you checked out X’s V2 API?

3

Yes, Bubble doesn’t support Oauth 1.0. And this issue is in Postman because I’m trying this in postman first. The above issue is resolved but I’m facing the new issue in the next step of my integration.

4

For oauth1, I always choose to create a plugin with server side script and only use API Connector to create the call and get it parsed by Bubble. The plugin always include everything to be set from body to headers. This way, I’m sure that the headers and body used for the signature is the same as the one used in the API call.