A few weeks ago, we announced several upcoming changes to the developer platform in advance of new European Union data privacy regulations going into effect soon.
Today, we’d like to share an additional change for customers using Sign in with Twitter:
Sign in with Twitter allows developers to access Twitter content in order to make it easy for their users to sign in with just a few clicks. Developers use callback URLs as part of this integration in order to provide directions on where a user should go after signing in with their Twitter credentials.
As part of our continued effort to ensure safety and security in our developer platform, we’re announcing a new requirement that any developer using Sign in with Twitter must explicitly declare their callback URLs in a whitelist on apps.twitter.com.
In 30 days, we will begin enforcing the whitelist such that any URL not added to the whitelist will fail. This means that URLs can no longer be programmatically overridden in calls to the
oauth/request_token endpoint. The
callback_url parameter provided must match one of the whitelisted callback URLs. While we generally provide longer than a 30-day notice for changes like this, this timeline allows us to continue to provide a safe and secure experience for developers and our users.
You can add callback URLs to your whitelist on the applications settings page on apps.twitter.com.
- Enable the setting “Enable Callback Locking” to test that only URLs you have whitelisted are accepted.
- Callback URLs will automatically be locked and the whitelist will be enforced starting on June 12th. The “Enable Callback Locking” setting will be removed on this date.
- Check the documentation for more information.
Please remember that a handful of additional changes will be taking place over the upcoming months, including:
- Background profile image data is going away on May 14th.
- User timezones are becoming private values in the API after May 23.
- Changes to the Developer Agreement effective May 25th.
To review the details of these changes, please see the April 24th forum announcement.
For any questions related to this update, please use the OAuth category.