RE: Invalid login attempt on Three Step TBA Authorization Flow

Hello! I am working on setting up the Three-Step TBA Authorization Flow. I am stuck on step one, when I send the POST request, I get:
{“error” : {“code” : “USER_ERROR”, “message” : “Invalid login attempt.”}}
I’ve verified that I’m generating the right authorization header based on the example in the documentation. Any tips?

AreelKhan Rookie Asked on November 15, 2022 in Other.
Add Comment
1 Answers


It’s probably easier for me to share a sample that I had working a while back.

This still works in Postman.

POST https://{{company_id}}

const company_id = '';
const consumer_key = '';
const consumer_secret = '';
pm.collectionVariables.set("company_id", company_id);
pm.collectionVariables.set("consumer_key", consumer_key);
pm.collectionVariables.set("consumer_secret", consumer_secret);
const url = `https://${company_id.toLowerCase()}`;
const callback = 'http://localhost';
const nonce = Math.random().toString().substring(2);
const d = new Date();
const timestamp = Math.round(d.getTime() / 1000);
let params = `oauth_callback=${encodeURIComponent(callback)}&oauth_consumer_key=${consumer_key}&oauth_nonce=${nonce}&oauth_signature_method=HMAC-SHA256&oauth_timestamp=${timestamp}`;
let sig_string = `POST&${encodeURIComponent(url)}&${encodeURIComponent(params)}`;
let sha256digest = CryptoJS.HmacSHA256(sig_string, consumer_secret + '&');
let base64sha256 = CryptoJS.enc.Base64.stringify(sha256digest);
let auth = `OAuth oauth_consumer_key="${consumer_key}", oauth_nonce="${nonce}", oauth_timestamp="${timestamp}", oauth_signature_method="HMAC-SHA256", oauth_callback="${encodeURIComponent(callback)}", oauth_signature="${encodeURIComponent(base64sha256)}"`;
pm.collectionVariables.set("auth", auth);

I have a Pre-Request Script that calculates the auth header and then I add an Authorization header of {{auth}}.

I’ve also ignored the “state” field here.

I hope this helps!


Intermediate Answered on November 17, 2022.

Hey Chris! Thanks a lot! Here’s what I did: pasted the JS script into the “Pre-request Script” section on Postman, filled in the company_id and consumer key and secret. Used the request URL that you have provided above and hit send on the POST request via Postman. Still got the same error unfortunately: 

 {"error" : {"code" : "USER_ERROR", "message" : "Invalid login attempt."}} 
 Do you think I missed a step from your solution, or is this being caused by an unrelated issue?

on November 28, 2022.
Add Comment

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.