Invalid login attempt on Three Step TBA Authorization Flow

Hello! I am working on setting up the Three-Step TBA Authorization Flow. I am stuck on step one, when I send the POST request, I get:
{“error” : {“code” : “USER_ERROR”, “message” : “Invalid login attempt.”}}

And in the login audit trail the error detail is: “invalidSignature”

Any idea of ​​the possible cause.

Thanks in advance.
Rookie Asked on June 30, 2023 in Other.
Add Comment
2 Answer(s)


It’s probably not a bad idea to get this working in Postman before first and I have this sample for generating the Authorization header:


const company_id = 'TSTDRV2257533';
const consumer_key = '0baf0c22d7ddf1f15e4ae6b7ba7284c0b8151a321cebfc45b5d66fb9b52d208b';
const consumer_secret = '67d527e35ee157c70c4e58b3a1c06fad0bfc4a2287fa48bfb20b6948b9eeeeab';
const state = 'https://my_alternative_redirect_url';
pm.collectionVariables.set("company_id", company_id);
pm.collectionVariables.set("consumer_key", consumer_key);
pm.collectionVariables.set("consumer_secret", consumer_secret);
pm.collectionVariables.set("state", state);
const url = `https://${company_id.toLowerCase()}`;
const callback = 'http://localhost';
const nonce = Math.random().toString().substring(2);
const d = new Date();
const timestamp = Math.round(d.getTime() / 1000);
let params = `oauth_callback=${encodeURIComponent(callback)}&oauth_consumer_key=${consumer_key}&oauth_nonce=${nonce}&oauth_signature_method=HMAC-SHA256&oauth_timestamp=${timestamp}`;
let sig_string = `POST&${encodeURIComponent(url)}&${encodeURIComponent(params)}`;
let sha256digest = CryptoJS.HmacSHA256(sig_string, consumer_secret + '&');
let base64sha256 = CryptoJS.enc.Base64.stringify(sha256digest);
let auth = `OAuth oauth_consumer_key="${consumer_key}", oauth_nonce="${nonce}", oauth_timestamp="${timestamp}", oauth_signature_method="HMAC-SHA256", oauth_callback="${encodeURIComponent(callback)}", oauth_signature="${encodeURIComponent(base64sha256)}"`;
pm.collectionVariables.set("auth", auth);


You then use this here:

RE: Invalid login attempt on Three Step TBA Authorization Flow



Intermediate Answered on July 4, 2023.
Add Comment

That’s a problem that I’ve been facing too and stil get in some occasions.

Some frequent errors:
– Your token/integration it’s not in the right setup;
– Your authorizing procces it’s not valid

First try Chris’es suggestion to check if your token and client information are correctly.

That been cleared out, check the way that authorizing and signing your request, if possible, logging the headers information from your request before sending it to check if the Authorization header it’s right.

One of the problems that I founf on custom integrations is that the nonce and the timestamp should be the same in the signature and in the authorization header to be sended in the request, otherwise it gives a invalid login attempt without explaining why.

Rookie Answered on July 4, 2023.
Add Comment

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.
  • This site made possible by our sponsors:   Tipalti   Celigo   Become a Sponsor   Become a Sponsor