API for login / access events

api

#1

Summary: I would like to see an API exposing account login and access events.

For background on a use case, our product ( https://antidotesystems.com/ ) monitors for geo-consistency and other anomalies amongst a user’s online accounts, and alerts by various means if one or more accounts appear breached.

For Twitter data collection, the { timestamp/IP address/geo } tuples of access events are rendered in the web client from this endpoint:

https://api.twitter.com/1.1/account/personalization/p13n_data.json

However, this isn’t an officially supported API for third parties. One workaround is to mimic a browser client to collect Twitter access data, which is not great, since the 3rd party would need to gather a user’s credentials, and full gain operational access, which we don’t want, to do so. Particularly for a security product.

Our request is to consider something like /account/personalization/p13n_data.json as a supported API. The existing (unsupported) endpoint has several fields: login_history is core to our use case; known_devices is also a useful input from a security perspective. Otherwise, /p13n_data.json has overlap with supported public endpoint https://api.twitter.com/1.1/account/settings.json.

This fits with the 'Read only' permission in Twitter’s existing auth model. Though ideally, I think a separate permission / OAuth scope like ’monitor_access' makes sense, since there are use cases that don’t need to even read tweets.

I can understand why this kind of API for building twitter apps would have been considered atypical in the past, but with the state of the world in 2017, I believe that opening the platform to enable more stringent security should be a first order consideration.

Thanks,
Dave


#2

This is an internal / private endpoint, it is not supported as part of the developer platform, and you should not use it. Doing so is likely to lead to our automated systems restricting the access for your application, and may lead to suspension of associated accounts per the developer policy and agreement.

I can certainly understand the interest in this kind of API, but at this point in time this is not something we are considering. Twitter’s APIs have never provided access to this level of detail about users of the platform and from my personal perspective I doubt such a shift would align with our approach - absolutely open to the conversation, but I’m not sure that this would come any time soon. Were this ever to come along, I’d imagine it would provide less detail than you’re suggesting an interest in, and would require some form of whitelisting and monitoring from our side.

The auth question is connected, but also separate. There have been long-standing requests for a more granular authentication and authorization model, and this is a well-known desire from the developer community. We’ve got nothing to announce at this time - considering the scale of the platform and number of apps in existence, such a change would be a huge amount of work - but we’re certainly open to looking more into security and auth in the future.


#3

Thank you for you response, Andy.

While I recognize and commend your charter to evolve the platform API, enabling security monitoring aligns entirely with what’s as described in your approach, in particular

to serve use cases and encourage innovation that leads to a better experience for everyone on Twitter

A search of headlines confirm that people’s accounts get hacked, causing undue stress and damaged reputations, and I contend that both the victims of hacking and those who witness the aftermath would consider it not a good experience. So the platform should enable solutions.

I believe from your engagement on these forums that you’re sincerely driving toward enabling innovation for the Twitter platform as stated in your mission statement. I hope you’ll reconsider the importance of use cases that support the security and hygiene of user accounts.