Getting started with OAuth 2.0


Does Twitter support OAuth 2.0? (The Wiki for OAuth says Twitter supports 1.0a and 2.0)? I did find this page (, but it seems that the 2.0 version should start out with a Redirect and then I start sending https gets/posts through the back-channel to get tokens and make api calls with the application ID on the QueryString in the redirect.

At any rate, Are there any examples of using OAuth 2.0 to login a user using Twitter? I’ve got a working example of OAuth 2.0 that connects to both Facebook and LinkedIn using OAuth 2.0…

Where do I put my application ID (Consumer Key?) and Consumer Secret to make the calls for a user to login?


You know if you can use OAuth 2.0 for authentication ( Login) with Twitter?

We only support one specific type of OAuth 2, for application-only authentication ( User-based authentication has to use OAuth 1.0a.


Hello, we are Zoho Creator Developers and we want to create a platform where can use the twitter’s API.

We probe the only specific type of OAuth2 that twitter support ( but when we want obtain a bearer token, we send request to POST: ( with all the fields in the header and the body and the response of the API is : {“responseCode”:“403”,“responseText”:“The request is for something forbidden. Authorization will not help.”}.

I make a video where i explain my problem:

What does it means this error?

Thanks for the help.


That’s exactly what I want to do: application-only authentication. SO, how do I do it?


Why not to add OAuth 2.0 for user-based applications? All major services did it long time ago. This inconvenience is the only reason why I dont add Twitter to my authorization library.


Hey Twitter guys, I’m sorry to say, but you’re really lame concerning the whole OAuth/OAuth2/fetch email address issues. Disappointing really. We won’t support Twitter authentication until YOU have fixed this. And I urge other to do the same. How hard can it be for Twitter to update their ridiculously antique auth system?


Hi APravdin1/pixabay,

Sorry for the frustration. I’ll certainly take back the OAuth 2.0 feedback back to our platform team.

If/when we do roll it out, I’ll be sure to update here.

Thanks again.



Now I understand why it was so hard for me to understand Twitter’s OAuth2 mechanics.
Thanks for sticking to the past!
Move on!


Still waiting for OAuth 2.0. Just having the “implicit” grant type would cover what I’m I’m trying to do.
Is there at least a way to make it so that nothing can be done with my client secret except for having the user authorize my app so it’s essentially a two-part client ID?
All I need to do is open up a stream for a user-defined hashtag, but for whatever reason (throttling?) you have to authenticate to do so.


Just a thought. Considering the growing importance of security in everything we do that’s web based, and that uses client’s personal information or utilizes their accounts, is there a reason you still haven’t updated User-Based authorization to OAuth 2.0?

If there’s one thing I’m sure of, it’s that sticking with older security protocols drastically increases the risk of unauthorized access to that data (also known as hacking).

This actually just raised an important question in my mind. If someone utilizing our applications was hacked by someone taking advantage of the older OAuth 1.0a, would the app developers be liable if the user decided to take legal action?


Google, Facebook, and Linkedin: these services support only OAuth2.

Twitter’s choice of sticking to OAuth1.0a is an anti-pattern in software development.


they support the OAuth 2 client credentials flow for application-only authentication. This means, if you: have an application that only shows tweets from other users or stuff like that.


Can you please elaborate on that. because i am not even able to authenticate through OAuth2. Do you have any sample where you have done that?