Code 326 - how do you deal with it?



I notice API more often than before returns code: 326, message: To protect our users from spam and other malicious activity, this account is temporarily locked and this pretty much make the connection useless.

We don’t have control over other apps the user is using that might cause code 326. Also, everyone can agree that Twitter anti-spam algo is over sensitive and this can happen pretty much any time to anyone (there is a lot of topics online about Twitter randomly locking accounts).

My questions are:

  1. Is there a way to check whether the user account is still locked?
  2. Will the lock go away automatically? From what I know they need to manually unlock it themselves.
  3. Are there any GET actions that can be performed during lock?
  4. If I “force” an API call and it returns code 326 over and over again, will that impact my app in anyway (Twitter flagging me for “spam behaviour” even if this was not my intention?


Your opinions of the perceived sensitivity of our safety systems are not relevant to the discussion of the error code.

I’d suggest an exponential back-off approach to error 326 - you’re correct that it requires manual intervention from the user, and there’s no way to query the temporary locked status of the account without calling an endpoint.


So what will happen if I keep calling an endpoint (referring to my question no. 4). Will that impact my app reputation?

Also, will the user keep receiving emails over and over that his account is locked with instructions how to unlock it?


I handle it by locking their account on my interface (not doing anymore requests). I email them once from my site asking them to reconnect their account which frees the lock (they can’t reconnect without unlocking on Twitter).

In case they unlock on Twitter but don’t reconnect on my interface, I use the friendships lookup endpoint once a day with their token just to test to see if it goes through. If it goes through, they clearly unlocked their account, if it doesn’t then they’re still locked.

To answer your questions:

  1. Use one of GET endpoints, I personally use friendships/lookup, with their token.
  2. They need to manually unlock their account.
  3. I think the only one I’ve come across is the verify_credentials endpoint.
  4. For POST endpoints I’m pretty sure you’ll trigger flags. For GET endpoints, I’m not sure but I think you’d be fine.


Appreciate your reply!

By reconnecting on your app you mean you revoke their connection and ask them to reauthorize again? Is this necessary?

Yes, I was also thinking about simple friendships/lookup.


I don’t revoke it but I just ignore their account for the time being on my system. Then I periodically (personally, once a day) check their existing token and either email them again explaining what the problem is or unlock their account.