I struggled with this for awhile and none of the answers I've found seemed to help. The documentation for the error is also a vague "something went wrong".

My problem is that I was using a mashup of code I found, and the headers weren't used correctly:

$headers = array(
    'Authorization' => 'Basic ' . base64_encode($appid . ':' . $secret), // WRONG!!!

    'Authorization: Basic ' . base64_encode($appid . ':' . $secret),     // Correct!
    'Content-Type: application/x-www-form-urlencoded;charset=UTF-8',     // Correct!
);

For me, the problem was that the Authorization header was using key-value format, while the content-type header was not. This broke the authorization header.

Here are some other things to check that also relate to error 99:

1. Verify that your credentials are correct and base64 encoded (see above)
2. Make sure the request is using POST
3. Ensure the content-type is set (see above)
4. Make sure you included grant_type=client_credentials as a post field.
5. SSL is required, make sure that is being used (https://)
6. Try verbose logging to help debugging. It should include SSL certificate information, your authorization header, and content type header. This won't show the grant_type field though, only headers.
7. If everything looks OK but it still won't work, you might be getting rate limited. Rate limits reset every 15 minutes.

When you finally get your access token, make sure you cache it to avoid rate limiting. You get 450 requests every 15 minutes, I believe. Half of that will be spent on getting your access token if you don't cache it!

After fighting with this problem, i finally come up with the solution. Twitter is not actually sending the right message if error exist anywhere.

When i send request from curl, it works fine but when through code. i was having same error {"errors":[{"label":"authenticity_token_error","code":99,"message":"Unable to verify your credentials"}]}

So what i got, problem was lying with Access control header. setting these header does not work for me

     xhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded")
     xhttp.setRequestHeader('Access-Control-Allow-Headers', '*');
     xhttp.setRequestHeader('Access-Control-Allow-Origin', '*')
     xhttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest')

as a workaround i just used this url to bypass request to handler cors

https://cors-anywhere.herokuapp.com/https://api.twitter.com/oauth2/token

added "https://cors-anywhere.herokuapp.com/" before the actual url and it began to work. hope someone may face this issue in problem

There's an accepted answer here already but just in case someone stroll to this post and had the same issue I did...

Twitter docs for reference -> OAuth 2.0 docs

Misconception #1: The Authorization String is generated using the consumer key (aka API-Key) and consumer secret (aka API Secret Key). The display of those credentials in the UI on developer.twitter.com is less apparent than that of apps.twitter.com. Nonetheless common RIF problem.

Misconception #2: This one is not really an misconception but an implementation error when base64 encoding the url concatenated Consumer Key+":"+Consumer Secret. If not doing this programmatically be sure to check for whitespaces anywhere (especially around the :) in the concatenated string you are base64 encoding.

Just a tad bit advice as well postman has a wonderful utility that makes the rest call to retrieve an oauth2.0 token (as well as other auth tokens) this was useful for me when trying to consume api's with the that required an oauth1.0 token

After fighting with this problem for a while I found the problem was I was making the call to /oauth2/token using Advanced Rest Client from a browser I was already logged into Twitter with. After logging out of Twitter and making the API call again it worked fine.

Short answer: make sure you do not already have an active session logged into Twitter when attempting to request a Bearer token.