Direct Message API - Change to how apps can access images sent in Direct Messages


As part of our continuing efforts to strengthen the security of our systems, today we implemented a change to how apps can access images sent in Direct Messages through our API. Due to the potential sensitivity of the prior state, we were unable to provide advance public notice of this change.

If your products or services are integrated with Twitter’s Direct Message API and render images sent via Direct Messages, please see below for the details of the change and determine whether you need to make changes to your integration. This change only impacts images, not the wider set of DM API functions.

What’s changed: as of today, we no longer support accessing media_url or media_url_https via an authenticated session. The request to fetch media_url_https MUST always be signed with the user’s access token using OAuth 1.0A.

We cannot prescribe how you should update your integration if you are affected by this change. However, here is one implementation path to address this that we endorse:

  • Make sure you’re storing a user’s Twitter access token, if you’re not already
  • Set up an endpoint to make OAuth requests to Twitter to retrieve DM images on behalf of the user using the user’s Twitter access token:
    • The endpoint should be a GET endpoint
    • The endpoint must be authenticated
    • The endpoint must deny all cross-origin requests
    • The endpoint must only be used for making requests to retrieve DM images, and must deny requests to other Twitter APIs
  • If you display images in a web interface, the URL from the newly created endpoint could be used in a <img> tag to display to users of your products. E.g. <img src="fetch_dm_image?url=example.jpg">

You can learn more in the documentation.

If you have any questions, please direct them to the REST API forum category.

Rate limiting when getting DM images
When acquiring the DM image from the application
DM Image proxy & rate limiting