First of all nice question Ran.

I want to ask you that have you gone through Twitter developers??

Sometimes it becomes ambiguous that which token to use since Twitter provides two pairs of tokens and the library.One of them is a secret key.

You need to select those token which starts with your Twitter ID followed by a hyphen.

Now your question is this error happens with some of yours users. So here is the answer that an app itself finds ambiguous to choose the token.

Though I might not be completely right, but I recommend you to try this solution at least once.

In addition to the comments everyone else has made, sometimes the twitter api will return a "invalid token" error when the token isn't the problem. I've noticed it the most when I've built a request string that doesn't parse correctly. For example, once I was getting that error when I was passing in screen_name's that had symbols that weren't URI-encodable. I also have gotten it when I passed in empty values like this (where the cursor is empty):

https://api.twitter.com/1/followers.json?cursor=&screen_name=whatevah

Could you give us the specifics of the calls that are returning this error?

Check the integrity of an access token at any time by calling the GET account/verify_credentials while using that access token.

Its mentioned and by research I came to know that:

Your access token will be invalid if a user explicitly rejects your application from their settings or if a Twitter admin suspends your application. If your application is suspended there will be a note on your application page saying that it has been suspended.

Why is my twitter oauth access token invalid / expired ?

Check this post: invalid / expired access tokens.

There is one post in google groups that says:

You don't get a second chance, and this is by design. OAuth requests have a unique signature; once a particular request is submitted, it can't be submitted again. If they enter the pin correctly, all is well, you get an access token. If they enter the pin wrong, you get 401 Unauthorized - which is expected. But if they then try again to enter the pin, even the correct pin shows as unauthorized.

Check this link for the above reference.

Some suggestions by twitter employee for the same problem:

I guess there are two things I would suggest at this point: 1.) Go to your application settings and use the "Reset keys" tab to reset your consumer key and secret, then update those values in the app and verify that you still see the same behavior. 2.) Try passing oauth_callback in your request_token call. Honestly I don't think this will make a difference, but I want to try and be as rigorous as I can here.

Also check this discussion saying:

You need to use the oauth_token and oauth_token_secret returned from the oauth/access_token call instead of the one in your app's settings in dev.twitter.com

if your Access Token=738629462149844993-FcWHjfcucCLGEosyGGQ38qI******iC then don't forget to mention hyphen (-) followed by your USERID.

It might be possible these users have not revoked access. But in my experience an access token can also get expired after the user (in test cases: me) changed his/her password.

When the user does that, you can no longer use the REST API of stream API on that user's scope. Please adapt your application to handle with that situation. Revoke the user's session, so when he comes back to your application, he/she can be redirected to Twitter again to start a new OAuth access token process. Or send him/her an e-mail to kindly ask to reconnect. Vimeo/Windows/... are some of the people handling expired tokens with e-mails.

Have fun!

Have you confirmed that the tokens worked at one time? In an OAuth system I worked on, there was an error in how tokens were securely stored and retrieved that caused a small percentage of them to become corrupted. If you can confirm that the tokens worked in the past, that's a good first step.

When you retrieve the tokens from storage, are they unchanged? Is it possible for them to get corrupted with the way you're managing them?

Put some logging in place to keep track of when tokens work and fail. Does a token ever start working again after it has failed once? If you fail to use a token for 30 days, does it expire? With a detailed log, you can start identifying the expired tokens and look for patterns in use to point to what might cause them to expire.

Be sure to explore other possibilities as well. How do users revoke tokens in Twitter? Is it easy to accidentally do that? For users with failed tokens, do they have other authorized apps that have stopped working as well?