Obtain OAuth access token via @Anywhere/OAuth 1.0A, and persist it via Javascript


I’m kind of confused from Documentation of API

I have application where you will allow access to your account, and this application uses your access token after to publish on your stream.

What I need is:

  • JavaScript solution
  • No redirects made from page with “Authorize button”
  • Fetch the access_token after OAuth proceeds and persist it into INPUT field on page
    So I can use the access_token after from Server-Side (Java2EE)
  • Automatic login, if my application is already authorized to currently logged in account

I don’t recognize an easy way how to use Javascript Twitter SDK to :

  • Create “Authorize button”
  • Proceeding OAuth in popup without redirect
  • Get the Access Token in javascript callback (parent window) to work with it

Can you please push me in right way?
Best Regards


We don’t have a Javascript Twitter SDK like this at this time. We don’t support long-lived tokens over OAuth 2 (which is what we’d need to do to support the model you’re talking about). Right now, to leverage a long-term relationship with a user, you’re advised to use server-to-server OAuth 1.0A.


What is “server-to-server OAuth 1.0A.” ?
I am looking for a method to authorize, without redirect to twitter too, and hope can authorize in a way like bellow:

  1. User submit username and password to my server
  2. Server return token messages
  3. User login my website, and handle his message on twitter.

My xauth apply is rejected, can I do this with “server-to-server OAuth 1.0A.”?


We have a bit of docs on what OAuth 1.0A is: [node:3240]. With OAuth 1.0A, you use a server-side language (perhaps Javascript if you’re running node.js, otherwise Javascript is not traditionally used as it is not a secure way to maintain token secrets).

For a web application, you start a series of requests to Twitter, resulting in you sending the user to a twitter.com page to enter their credentials. Once that step is complete you are given an access token which allows you to make further calls on their behalf.

xAuth is not granted to websites as they can leverage this callback approach instead and there’s no reason a user should be giving a third party their Twitter credentials if they don’t have to.


Won’t this be limited to the 350 requests/hour/ip if all the calls are made from the same server? I’m trying to sort out the same conundrum (stackoverflow: http://bit.ly/MJPtQb) - to make a webapp in which users can add themselves to lists etc., for which they need to be authenticated. Is there any way to resolve this? (I’m using jQuery.)

Some ideas would be GREATLY appreciated! Thanks!

PS: Is this comment (2009) still valid, for example? (from the stackoverflow link above): “Good solution! Having a PHP script that returns OAuth tokens. As these tokens only work when called from our domain (as it is the one registered with Twitter) it’s 100% secure. The PHP doesn’t update anything and the JQuery only works when hosted on our domain.”


Actually, just found this @episod answer regarding rate limits: “But if you’re doing OAuth, your rate limits are per-user and shouldn’t be an issue on your server’s IP address. You shouldn’t have rate limiting issues when properly using OAuth. Perhaps the OAuth signatures you’re generating server-side are invalid to start with?”

So is THAT still valid? If that’s the case, all is well and high-fives all around!


I like the @twitter app on my iPhone and iPad! Twitter helps me to stay in touch with fans and friends of mine!