Violation Warning: Twitter users that have multiple connections on their individual accounts

authorization
account-access

#1

We have received a warning from Twitter Support about something we are not able to make any sense.
Here are the mails from them

Mail 1

We have data showing many Twitter users that have multiple connections on their individual accounts to your app XYZ, app ID XXXXX.
Having multiple connections to an single app is prohibited by the following part of our Developer Agreement and Policy:

Do not do any of the following - Use a single application API key for multiple use cases

Each Twitter account is only permitted a single connection to your app XYZ, app ID XXXXX. 

Mail 2

Your customers are creating multiple access tokens for your app ID XXXXX on individual Twitter accounts.
Having multiple connections to an single app (i.e.: creating multiple access tokens)
is prohibited by the following part of our Developer Agreement and Policy:

Do not do any of the following - Use a single application API key for multiple use cases

Mail 3

Your users are creating multiple tokens for the same use case by creating multiple accounts via your site.
This has nothing to do with email requesting or any other Twitter permission.
Each user of your service is only permitted one connection to your app per our Developer Agreement and Policy.

You must fix this issue by the deadline provided in our initial notice,
or you will face restrictions from accessing our API.

The deadline is in 5 days!

We use only 1 app ID for our application.
We do not use any other app ID, nor do we use this app ID anywhere else.
I am not sure how 3rd party apps like ours can create multiple access tokens to the same Twitter profile!

We do have a dashboard feature where users can add their social profiles (Twitter, Facebook, LinkedIn etc) to their Main Account but that is only to manage those profiles from a unified dashboard. All socia media management applications, including Tweetdeck, allow that and so I hope this is not what they mean.

We have not been able to get any response from Twitter support after sharing with them the above explanation.
Our last reply to them:

We are ready to make any change necessary to curb this issue immediately but we are not able to understand
how 3rd party apps like ours can create multiple tokens.
We haven't changed our way of authentication since last 5 years and
it is not clear of how any of the processes we implement can link to creating multiple tokens.
It will be extremely helpful if you can share with us the possible reasons
how multiple tokens can be created. As soon as we can relate to any of them,
we will make the change in our system within 48 hours to ensure we do not violate any terms.

While we still wait for their response,
I will be very grateful if someone can assist us in understanding their expectations.

Thank you in advance


#2

An individual user authentication to Twitter should create a single token which you can then store. There should be no reason to then ever have that same user create another connection to Twitter (unless they have revoked your app in their settings, which would invalidate the token and require a new login).

If your app is somehow calling the oauth endpoint multiple times for the same user (regardless of whether you already store a token for their account) then you may end up in this situation. Once a user is authenticated, you should never need to re-auth them unless they revoke your account access and you need to rebuild the token, based on an error response. Is your logic faulty in this area?

You should also never, ever re-use, share or pool one user token to access the Twitter APIs on behalf of another user of your application of service.

We cannot publicly comment on individual application situations and policy statuses on a public forum for privacy reasons, so if you continue to have issues I would encourage you to engage with the platform support team via the established email channel.


#3

Hello Andy,

Thank you for your reply.

  1. We are using the endpoint oauth/authorize to send user for Authentication. We also allow user to “Signin with Twitter” using the same endpoint after getting the request token.

We cannot know until we get the access token if user wants to add another account to our App Dashboard or updated their existing account by using the same credentials. Our application allows multiple Twitter accounts to be managed under 1 dashboard. A user can go through the Oauth process multiple times at the time of setup. And they can logout / login using Twitter.

Is there something we can do here to solve the issue of calling Twitter OAuth endpoint multiple times? Given we want our app users to add multiple Twitter account and it is upto them to login using twitter.

NOTE: One thing we implemented just after the warning was to enforce checking of oauth_callback_confirmed to true

  1. We don’t share user token to access Twitter APIs on behalf of another application user.
    However it may happen that users belonging to 1 Dashboard (Multple accounts can be added in 1 dashboard). can request data about tweets/followers etc of other Twitter Users (not our application user). We use tokens from any of the accounts in the same dashboard to access the resource. We only use tokens from the app dashboard users to access resources requested by the owner of that dashboard. Tokens are not shared even for users of the same dashboard. That means we don’t request a resource that is to be used by another Twitter account of the same dashboard.

#4

We have been trying to get a response from them for the last 1 week. We have sent 3 mails but no reply yet!

I am hoping that we have resolved it and there won’t be any issue going forward.