Is the "state" parameter supported?


Is the “state” parameter supported? It is supported by Facebook and Google (at least).

If not, is there some other way to maintain state between requests?





No, we don’t support OAuth 2 at this time, aside from app-only auth which is without this kind of context.

If you need to maintain state during the OAuth 1.0A callback “handshake,” you can do so by setting additional parameters to your custom oauth_callback value you provide on the oauth/request_token step.


Okay, thanks.


How can I set additional parameter in oauth_callback url. my callbackurl is :-


with this I am getting access_token successfully but not getting any state parameter.

now I want to set state parameter, so I can get a unique state in response of params. but I when I tried this


I got error, coul not authenticate.


Do you need to url encode your callback url?



Thanks for your reply. I have sent the query parameter in encoded string. still I’m facing the same error. If I did not include the state query parameter in the callback url than I did not get any error and Authorizing successfully but without state parameter. I need to differentiate the user by this state parameter.


The only other idea I have (sorry for delay!) would be to use something like:


And use apache’s mod_rewrite or something equivalent depending on your webserver…


How could that work?
the point of state parameter is that it’s going to change on every request. but you cannot use a “changing” callback url with oauth, thus make it impossible to use http://localhost:3000/oauthhandler/twitter/state/skjdfhjsf24754fsdf10


well true that you cant directly use a state parameter but the pretty crazy flow from twitter already makes it so the state param isnt really needed, because of the oauth token and secret, which works similar but slightly different.

after all when you request an oauth token for the login you store the token secret and give the user the twitter login site with the token.

also since the oauth token itself is a dynamic parameter in the first place you can also store that and do a check on that.

and the oauth verifier has to obviously be the correct one for any given oauth token and the same for the secret. the secret is used for signing after all and if the sig doesnt check out, twitter wont let the login do anything.

so while it’s not you that decides the dynamic parameters, there are parameters which are dynamic enough to basically work as state, but while being more complicated also slightly better since there’s also a secret value instead of just the public state.


You can use the state parameter as an url parameter instead of as part of the url path. Like this:



so definitively is it possible to put custom parameter like context n oauth1? I am facing a painful problem with my school project as I am not able to store accessToken and accessSecret to my database because in the current flow I am not able to say which user of my site the account belongs to.


Since June 12th this is not working anymore ( Our callback looks like this:{state}, but since callback URLs must be explicitly specified, this no longer works.

Is there a way we can still get state in callback?


You can put state in a query parameter like this:{state}


It works now. Thank you @abraham!



can i pass json string to state?

I have try this ,but when callback, the parameter is like this:

and there is another problem:
when i pass argument like this:
&loadFunc=[object Object]

I get the the result from twitter:

twitter4j.TwitterException: 403:The request is understood, but it has been refused. An accompanying error message will explain why. This code is used when requests are being denied due to update limits (

<?xml version="1.0" encoding="UTF-8"?>Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings


This is a callback URL so everything must be URL safe. JSON isn’t likely to be URL safe. You also don’t have to use state, it’s just a common pattern. Any parm will work.

Or if you really want to pass a complex object you could URL encode a bas64 encoded JSON object.


Yeah, I want pass a complex data to my callback. Base64 solved my problem.
Thank u very much!

Google/facebook can set json string to state, but why twitter need urlsafe for these parameters of callback.

twitter has oauth2.0 api now? maybe 2.0 is simpler.


Twitter supports OAuth 1.0A for the majority of API endpoints, but an OAuth 2.0 Bearer Token can be used for some of them. There’s no general implementation of OAuth 2.0 for Twitter’s API right now.