RE: Invalid login attempt on Three Step TBA Authorization Flow

Hello! I am working on setting up the Three-Step TBA Authorization Flow. I am stuck on step one, when I send the POST request, I get:
{“error” : {“code” : “USER_ERROR”, “message” : “Invalid login attempt.”}}
I’ve verified that I’m generating the right authorization header based on the example in the documentation. Any tips?

AreelKhan Rookie Asked on November 15, 2022 in Other.
Add Comment
1 Answers


It’s probably easier for me to share a sample that I had working a while back.

This still works in Postman.

POST https://{{company_id}}

const company_id = '';
const consumer_key = '';
const consumer_secret = '';
pm.collectionVariables.set("company_id", company_id);
pm.collectionVariables.set("consumer_key", consumer_key);
pm.collectionVariables.set("consumer_secret", consumer_secret);
const url = `https://${company_id.toLowerCase()}`;
const callback = 'http://localhost';
const nonce = Math.random().toString().substring(2);
const d = new Date();
const timestamp = Math.round(d.getTime() / 1000);
let params = `oauth_callback=${encodeURIComponent(callback)}&oauth_consumer_key=${consumer_key}&oauth_nonce=${nonce}&oauth_signature_method=HMAC-SHA256&oauth_timestamp=${timestamp}`;
let sig_string = `POST&${encodeURIComponent(url)}&${encodeURIComponent(params)}`;
let sha256digest = CryptoJS.HmacSHA256(sig_string, consumer_secret + '&');
let base64sha256 = CryptoJS.enc.Base64.stringify(sha256digest);
let auth = `OAuth oauth_consumer_key="${consumer_key}", oauth_nonce="${nonce}", oauth_timestamp="${timestamp}", oauth_signature_method="HMAC-SHA256", oauth_callback="${encodeURIComponent(callback)}", oauth_signature="${encodeURIComponent(base64sha256)}"`;
pm.collectionVariables.set("auth", auth);

I have a Pre-Request Script that calculates the auth header and then I add an Authorization header of {{auth}}.

I’ve also ignored the “state” field here.

I hope this helps!


Intermediate Answered on November 17, 2022.
Add Comment

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.