OAuth 1.0a
OAuth 2.0 Bearer Token
POST oauth/request_token
Allows a Consumer application to obtain an OAuth Request Token to request user authorization. This method fulfills Section 6.1 of the OAuth 1.0 authentication flow. We require you use HTTPS for all OAuth authorization steps. Usage Note: Only ASCII values are accepted for theoauth_nonce
Resource URL
https://api.x.com/oauth/request_token
Resource Information
Parameters
Learn more about how to approve your callback URLs on this page.
Please note - You can view and edit your existing X apps via the X app dashboard if you are logged into your X account on developer.x.com.
Example request
Request URL:
POST https://api.x.com/oauth/request_token
Request POST Body: N/A
Authorization Header: OAuth oauth_nonce="K7ny27JTpKVsTgdyLdDfmQQWVLERj2zAK5BslRsqyw", oauth_callback="http%3A%2F%2Fmyapp.com%3A3005%2Ftwitter%2Fprocess_callback", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1300228849", oauth_consumer_key="OqEqJeafRSF11jBMStrZz", oauth_signature="Pc%2BMLdv028fxCErFyi8KXFM%2BddU%3D", oauth_version="1.0"
Response: oauth_token=Z6eEdO8MOmk394WozF5oKyuAv855l4Mlqo7hhlSLik&oauth_token_secret=Kd75W4OQfb2oJTV0vzGzeXftVAwgMnEK9MumzYcM&oauth_callback_confirmed=true
GET oauth/authorize
Allows a Consumer application to use an OAuth Request Token to request user authorization. This method fulfills Section 6.2 of the OAuth 1.0 authentication flow. Desktop applications must use this method (and cannot use GET oauth / authenticate). Usage Note: Anoauth_callback is never sent to this method, provide it to POST oauth / request_token instead.
Resource URL
https://api.x.com/oauth/authorize
Resource Information
Parameters
Example request
Send the user to the
oauth/authorize step in a web browser, including an oauth_token parameter:
https://api.x.com/oauth/authorize?oauth_token=Z6eEdO8MOmk394WozF5oKyuAv855l4Mlqo7hhlSLik
GET oauth/authenticate
Allows a Consumer application to use an OAuthrequest_token to request user authorization.
This method is a replacement of Section 6.2 of the OAuth 1.0 authentication flow for applications using the callback authentication flow. The method will use the currently logged in user as the account for access authorization unless the force_login parameter is set to true.
This method differs from GET oauth / authorize in that if the user has already granted the application permission, the redirect will occur without the user having to re-approve the application. To realize this behavior, you must enable the Use Sign in with X setting on your application record.
Resource URL
https://api.x.com/oauth/authenticate
Resource Information
Parameters
Example request
Send the user to the
oauth/authenticate step in a web browser, including an oauth_token parameter:
https://api.x.com/oauth/authenticate?oauth_token=Z6eEdO8MOmk394WozF5oKyuAv855l4Mlqo7hhlSLik
POST oauth/access_token
Allows a Consumer application to exchange the OAuth Request Token for an OAuth Access Token. This method fulfills Section 6.3 of the OAuth 1.0 authentication flow. Resource URLhttps://api.x.com/oauth/access_token
Resource Information
Parameters
Example request
POST https://api.x.com/oauth/access_token?oauth_token=qLBVyoAAAAAAx72QAAATZxQWU6P&oauth_verifier=ghLM8lYmAxDbaqL912RZSRjCCEXKDIzx
From PIN-based POST https://api.x.com/oauth/access_token?oauth_token=9Npq8AAAAAAAx72QBRABZ4DAfY9&oauth_verifier=4868795
Example response
oauth_token=6253282-eWudHldSbIaelX7swmsiHImEL4KinwaGloHANdrY&oauth_token_secret=2EEfA6BG5ly3sR3XjE0IBSnlQu4ZrUzPiYTmrkVU&user_id=6253282&screen_name=xapi
POST oauth/invalidate_token
Allows a registered application to revoke an issued OAuth access_token by presenting its client credentials. Once an access_token has been invalidated, new creation attempts will yield a different Access Token and usage of the invalidated token will no longer be allowed. Resource URLhttps://api.x.com/1.1/oauth/invalidate_token
Resource Information
Example request
POST oauth2/token
Allows a registered application to obtain an OAuth 2 Bearer Token, which can be used to make API requests on an application’s own behalf, without a user context. This is called Application-only authentication. A Bearer Token may be invalidated using oauth2/invalidate_token. Once a Bearer Token has been invalidated, new creation attempts will yield a different Bearer Token and usage of the previous token will no longer be allowed. Only one bearer token may exist outstanding for an application, and repeated requests to this method will yield the same already-existent token until it has been invalidated. Successful responses include a JSON-structure describing the awarded Bearer Token. Tokens received by this method should be cached. If attempted too frequently, requests will be rejected with an HTTP 403 with code 99. Resource URLhttps://api.x.com/oauth2/token
Resource Information
Parameters
Example request
POST oauth2/invalidate_token
Allows a registered application to revoke an issued oAuth 2.0 Bearer Token by presenting its client credentials. Once a Bearer Token has been invalidated, new creation attempts will yield a different Bearer Token and usage of the invalidated token will no longer be allowed. Successful responses include a JSON-structure describing the revoked Bearer Token. Resource URLhttps://api.x.com/oauth2/invalidate_token
Resource Information
Parameters
Example request