Summary: I would like to see an API exposing account login and access events.
For background on a use case, our product ( https://antidotesystems.com/ ) monitors for geo-consistency and other anomalies amongst a user’s online accounts, and alerts by various means if one or more accounts appear breached.
For Twitter data collection, the { timestamp/IP address/geo } tuples of access events are rendered in the web client from this endpoint:
https://api.twitter.com/1.1/account/personalization/p13n_data.json
However, this isn’t an officially supported API for third parties. One workaround is to mimic a browser client to collect Twitter access data, which is not great, since the 3rd party would need to gather a user’s credentials, and full gain operational access, which we don’t want, to do so. Particularly for a security product.
Our request is to consider something like /account/personalization/p13n_data.json as a supported API. The existing (unsupported) endpoint has several fields: login_history is core to our use case; known_devices is also a useful input from a security perspective. Otherwise, /p13n_data.json has overlap with supported public endpoint https://api.twitter.com/1.1/account/settings.json.
This fits with the 'Read only' permission in Twitter’s existing auth model. Though ideally, I think a separate permission / OAuth scope like ’monitor_access' makes sense, since there are use cases that don’t need to even read tweets.
I can understand why this kind of API for building twitter apps would have been considered atypical in the past, but with the state of the world in 2017, I believe that opening the platform to enable more stringent security should be a first order consideration.
Thanks,
Dave
