I'm pretty sure I've implemented the NS version of Oauth correctly, and its totally random when it happens. I'm unit testing, so no high volume/concurrency limits. Sometimes it takes 4-5 attempts before a call just decides to work.

usual answer is to use an oauth library instead

So your answer is no, your integrations never experience 401 unauthorized errors?

lots of people get unauthorized

Implementing your own signature code increases the likelihood of subtle (or not so subtle) issues that may occasionally lead to invalid signatures. Using the wrong escaping could be a cause of intermittent issues since it may sometimes work, but other times fail, based on the contents of the strings to be escaped. So, definitely use a tried and tested library wherever possible. Also, make sure your nonce generation is sufficiently random an unlikely to repeat itself. Finally, the system clock needs to be accurate, as a timestamp that is too old will definitely be rejected.

^Thanks guys. In my particular case, I was not uri encoding the actual signature itself. So occasionally a + or / would pop up and cause a failure