When developers implement Sign-in with Twitter (3-Legged OAuth) in an application, Twitter uses app permissions to determine what APIs and data the application can access for an authenticated account. The related scope of access for these permissions are displayed in the Sign-in with Twitter authorization dialog for review and acceptance.
We are improving the 3-legged OAuth flow for apps that integrate with the Ads API. This change will inform the advertiser that they are providing access to their Ads Account during the Sign-in with Twitter flow. New app permissions have been introduced and the authorization dialog will be updated to display Ads Account scope of access to the advertiser. Accounts authenticated prior to October 8th, 2018 1pm PDT will need to re-authenticate.
Note: This view will vary depending on platform (i.e. web, iOS, Android) and which permissions your client application is granted.
On January 18, 2019, the new app privileges will be enforced. Accounts that did not re-authorize ahead of this deadline will not be able to access the Ads API using your application. Sending these accounts through the Sign-in with Twitter flow will re-enable access to the Ads API through your application.
In order to avoid disruption of service, ensure your application has the following capabilities:
1. Send your customers through the Sign-in with Twitter flow
-
All of your customers should be informed to complete re-authorization of their Twitter account by January 18, 2019.
-
Your application should automatically send customers through Sign-in with Twitter browser flow the next time they use your application.
-
If you do not want to force re-authorization, please provide a link to your Sign-in with Twitter flow for customers to manually re-authorize and prevent any platform disruptions.
-
Upon successful authorization, ensure your application updates and stores the new access tokens.
2. Handle 403 API error responses
-
In general it is best practice to handle 403 forbidden errors with code INSUFFICIENT_USER_AUTHORIZED_PERMISSION gracefully by automatically sending the user through the Sign-in with Twitter flow or by providing the messaging and UI to initiate the flow.
-
If your application handles 403 errors gracefully, you may choose to manually invalidate a customer’s access tokens using POST oauth/invalidate_token. This will cause an unauthorized error for that customer and trigger your Sign-in with Twitter flow.
IMPORTANT: Failing to implement the above may introduce disruption of service to your users and customers. Access to the Ads API via your application to manage their advertiser account will be disabled.
Developers can reach out with questions or concerns via the Ads API developer forum. Twitter Official Partners should contact their partner manager and partner engineer.
FAQ
-
Why is Twitter doing this?
We’re improving the Sign-in with Twitter experience so that advertisers are informed of the scope of access an application has to their Ads Account.
-
What will happen to accounts that do not re-authorize within the 90 day grace period?
Twitter accounts that do not re-authorize within the 90 day grace period will not be able to access the Ads API until they do so.
-
Will this affect access to other Twitter APIs?
No, this update should not impact access to other Twitter APIs such as the Standard, Premium or Enterprise suite of APIs.
-
I’ve just created my account, do I need to re-authenticate?
Only Advertisers who have authenticated accounts prior to October 8th, 2018 1pm PDT will need to re-authenticate.
