Retirement of xAuth

security
oauth
xauth

#1

Since API v1.1 was launched in 2012, Twitter’s API endpoints have supported two broad forms of authentication - OAuth and xAuth.

The purpose of xAuth was primarily to ease the transition from the older-style basic username + password-based authentication flow, into the token-based OAuth flow. This mechanism enabled applications to deliver credentials directly to the Twitter API on behalf of a user, without using the web-based or PIN-based OAuth flows.

Sharing usernames and passwords with third party applications carries several risks. Since 2014, we have publically stated that the xAuth authentication method is deprecated. As part of our ongoing efforts to enhance, improve and secure the Twitter Platform and APIs, it is now time to remove the xAuth option completely.

From June 30, 2017 the xAuth authentication mechanism will be removed from the Twitter API.

If your application or use case is unable to implement the complete web-based authentication flow for OAuth, or to use Twitter Kit for sign-in with Twitter on iOS and Android, we would recommend considering the PIN-based OAuth flow. There is more guidance on which form of OAuth flow to choose in our overview documentation.

The number of applications with the xAuth special privilege is small, and we do not anticipate that this will have a significant impact. If you have a specific concern about this change, please contact us to describe the issue in more detail.

If you require assistance with, or have questions about, the implementation of OAuth on the Twitter platform, please use the OAuth category on the developer forums.


I'm going to use xAuth feature
#2

#3