Get twitter accessToken and accessTokenSecret from a frontend JS application



I would like to create a Spring Boot webapp (Twitter client) that is able to connect to multiple twitter accounts and post tweets on their behalf. It should be an API + one SPA.

After two days, I am suffering from acute tutorial dizziness and have advanced very little. I am trying to follow Spring Social Twitter Reference, but it does not explain how to get, store or update the accessToken.

This is how I imagine the overall process (but it is probably deeply flawed):

  • The SPA (frontend) gets an accessToken and an accessTokenSecret to the user’s twitter account through a direct call to twitters API (popup window? I don’t know yet how to do this).
  • It then sends both to the backend (using HTTPS), who stores them in a database (Encrypted).
  • Then the backend can start sending tweets on behalf of the users by using the accessToken and accessTokenSecret of each user.

If the above is wrong, which would be the correct process?


In general you want to keep your consumer key/secret secure on your server. Since that is used for all user authenticated requests to the Twitter API you will want to proxy all requests to Twitter through your own server.

The high overview of what you’ll want to do is this:

  • User lands on your SPA, want to Sign in with Twitter.
  • SPA makes request to your server, server makes request to Twitter API for a request_token.
  • Twitter returns request_token to server which return sit to the SPA.
  • SPA sends user to with request_token to get authorization.
  • User returns to SPA with verification_code.
  • SPA sends verification_code to server who sends it to Twitter API for access_token.
  • Twitter returns access_token to sever for storage.
  • Server creates session for user for future SPA/server authentication.

Now you have an authenticated user on your SPA with Twitter credentials stored on the server.

  • SPA tells server to perform action on Twitter (update status, get profile, etc), server gets credentials out of the database and makes authenticated request to Twitter API.


Thank you @abraham!

I also made the question in SO here, in case you want to copy/paste your answer there so that maybe someone else will find it useful.