Action REQUIRED - Sign in with Twitter users must whitelist callback URLs



A few weeks ago, we announced several upcoming changes to the developer platform in advance of new European Union data privacy regulations going into effect soon.

Today, we’d like to share an additional change for customers using Sign in with Twitter:

Sign in with Twitter allows developers to access Twitter content in order to make it easy for their users to sign in with just a few clicks. Developers use callback URLs as part of this integration in order to provide directions on where a user should go after signing in with their Twitter credentials.

As part of our continued effort to ensure safety and security in our developer platform, we’re announcing a new requirement that any developer using Sign in with Twitter must explicitly declare their callback URLs in a whitelist on

In 30 days, we will begin enforcing the whitelist such that any URL not added to the whitelist will fail. This means that URLs can no longer be programmatically overridden in calls to the oauth/request_token endpoint. The callback_url parameter provided must match one of the whitelisted callback URLs. While we generally provide longer than a 30-day notice for changes like this, this timeline allows us to continue to provide a safe and secure experience for developers and our users.

You can add callback URLs to your whitelist on the applications settings page on

  • Enable the setting “Enable Callback Locking” to test that only URLs you have whitelisted are accepted.
  • Callback URLs will automatically be locked and the whitelist will be enforced starting on June 12th. The “Enable Callback Locking” setting will be removed on this date.
  • Check the documentation for more information.

Please remember that a handful of additional changes will be taking place over the upcoming months, including:

  • Background profile image data is going away on May 14th.
  • User timezones are becoming private values in the API after May 23.
  • Changes to the Developer Agreement effective May 25th.
  • Updates to Twitter Terms of Service and Privacy Policy updates are effective May 25th.

To review the details of these changes, please see the April 24th forum announcement.

For any questions related to this update, please use the OAuth category.

Application OAuth callback URL can't be whitelisted
Testing out Callback URL whitelisting ahead of launch
How to use a wildcard callback_url with the new callback rules
Callback URL not approved - but worked for months
OAuth callback URL lockdown
[Solved] OAuth::Unauthorized (403 Forbidden)
I am unable to see any option to Whitelist my callback_url
Callback URL not approved - but worked for months
Failed to get request token
Whitelist Instructions - Am I Missing a Step for iOS?
How to whitelist a twitter application
Failed to get request token
Python 2.7 Flask Oauth failing starting today 2018-06-12
Failed to get request token
Not returning User's Email address in External Callback
Cannot find "Callback Locking" option
Callback URL not approved
Authentication Failed. Returns error "403 Forbidden: The request is understood, but it has been refused"
Website url and CallBack url for Exponent apps


Authentication failed! Twitter returned an error. 403 Forbidden: The request is understood, but it has been refused
Callback URL
Whoa there! The request token for this page is invalid. It may have already been used, or expired because it is too old