Oauth token Expires and my app access gets revoked randomly, why?

oauth
python
error-codes
api

#1

I have a simple app I am the owner of, linked into and verified with my own personal account that lets me discover new people and post tweets when I’m away from my computer. However recently, and it only seems to happen when I try to unfollow accounts, but seemingly randomly my oauth access token gets removed, and my twitter account, without my explicit permission, revokes access to my app. I receive no message back from twitter (aside from the “Invalid or Expired Token, code 89” message if i try to use the missing token) telling me that i’ve exceeded a limit, nor is there any message anywhere from twitter saying anything is suspended or banned. I CAN just manually refresh my access token and plug it back into my python script by hand, but it only works again momentarily before everything breaks again. Is there a limit to the number of people that I can unfollow per hour / day that i’m unaware of?
For what it’s worth, I’m using the 3-legged oauth authorization to pull the token, and then i’m trying to reuse that same token from there. My app is built with python using the REST API.
Any ideas?


#2

These limits are documented on our Support pages.


#3

I already visited that page before asking this question. I’m assuming that unfollows are treated as follows on that page? Your support pages should clarify, because a ctrl+f search for unfollow returned no hits.
I’m definitely not hitting the follow limit, at MOST i would have followed 100 a day and tried to unfollow 100 that same day when I have upwards of 400 followers…
I’ve been through the documentation in your support and dev pages many times, the only reason I bring my question up here is because I can think of nowhere else to turn.
Would you be able to clarify why my app’s access to my account could possibly be revoked without my knowledge of it?


#4

I would expect that there could be an issue if your app is detected as performing mass or bulk follow/unfollow operations, which might then trigger our Botmaker antispam system to muzzle or temporarily prevent the app from continuing. I’m afraid we can’t do too much diagnosis on specific apps in a public forum like this. You could raise a platform support ticket to see if that team has any more information for you.


#5

If my app was considered to be performing bulk operations, and it was suspended, wouldn’t I receive a notice the next time i tried to log in or use it? I never got any notice that it was suspended, and I could still just refresh, re-verify, and use it again.


#6

Experiencing the same issue. When I send request to friendships/destroy.json the first request always gets 200 response but when next request sent it returned with 401.

And when I checked the Access Token, it was removed, again I have repeated the same step and the first request returned with 200 http response but again key was deleted. I’m sure that account was not suspended because the requests made were not much in numbers.

Can you please help?


#7

This is the same situation I find myself in.

While I understand that Twitter needs protect itself from bots, I don’t see how my following or unfollowing people who do not want to engage is an issue. Especially when most of my unfollowing is due to undeclared sensitive content. Also I never go over 15 people in any 15 minute window. Not even if I combine follows and unfriends.

I’m very fond of Twitter and want to “play nice” but I don’t seem to understand the rules

I am at a loss


#8

We are facing the same issues even though we’re adhering to the rate-limits. Just wondering, why there are no more responses to this thread.


#9

I’m having the same issue! Any resolution guys?


#10

Exactly the same issue for my app too.

Very disappointing to not have a response from Twitter about this. Is there a workaround? How do I get my app working again?


#11

(side-note that we did respond to this thread last in Feb 2016 which I realise is a year back)

We publish specific rules about automated experiences on the platform. If an application is detected by our automated / machine learning anti-spam and anti-abuse systems (aka “Botmaker”) then it can sometimes be muzzled and placed into a read-only mode, which would be visible via the apps dashboard.

Twitter does not revoke tokens on behalf of users except in unusual circumstances that suggest that an account may have been compromised, which should trigger a visible message on use or login.

There are forms where you can request assistance with your specific app IDs on our support pages. We cannot debug application issues here in the forums for user and developer privacy reasons.

Apologies for any frustration you’re experiencing but this is difficult to comment on further in a public space as described above. I hope this information is helpful and provides you some further avenues to explore.


#12

Thanks for the response Andy.
Yeah, I did see the initial response and like the original author I had already read that page. I was referring to the subsequent lack of information.
Anyways, you said:-

If an application is detected by our automated / machine learning anti-spam and anti-abuse systems (aka “Botmaker”) then it can sometimes be muzzled and placed into a read-only mode, which would be visible via the apps dashboard.

I assume “apps dashboard” means apps.twitter.com? Yeah, I don’t see anything anything there about my app being muzzled. In fact the app continues to work for other authorized users. So this appears to affect just one user (and the behavior is exactly what the original author of this topic describes).

Twitter does not revoke tokens on behalf of users except in unusual circumstances that suggest that an account may have been compromised, which should trigger a visible message on use or login.

This isn’t what I am seeing actually. For the affected user (after re-authorizing) the first unfollow succeeds, the second and subsequent unfollows fail with the message:-

“401:Authentication credentials (https://dev.twitter.com/pages/auth) were missing or incorrect. Ensure that you have set valid consumer key/secret, access token/secret, and the system clock is in sync.message - Invalid or expired token.code - 89”

And if I inspect the affected user’s Apps settings my application that had been previously authorized and appeared in the list is now absent. That looks a lot like a revocation to me. The affected user receives no emails or any other indication that this has happened.

So to sum up. According to your descriptions my app appears NOT to have been muzzled and one particular user appears to be having his application authorization revoked which according to twitter you don’t do.

Not only frustrating but also embarrassing to have this happen to a Customer and be completely unexplainable.


#13

That’s understandable confusion.

However, you refer to multiple “unfollow” events here, and per the automation rules this could well be detected as automation, so this could be related.

My advice would be to raise a platform support ticket as above.