What authentication method should we be using?


We believe we need to use xAuth for our Twitter integration. We have an audio-blogging application. Our users create blog posts in one of the following ways:

  1. Using a telephone to call a number.
  2. Logging in to their account on our website and uploading an audio file (e.g. MP3).
  3. Recording an audio file using either our Android or iPhone apps, which then uploads the audio to our website.

Some of our users would like to have their Twitter status automatically updated when they post a new blog entry.

Up until recently we have been able to do this using the following method:

  1. User logs in to their account on our website.
  2. User “signs in with Twitter” and authorizes our app to post on their behalf.
  3. We obtain an access token and secret which are stored in our database alongside that user account.
  4. Access token and secret are then used to make requests to the Twitter API to update the user status as and when required.

Now, this functionality does not work any more and all requests we make on behalf our users are coming back 401 unauthorized.

We believe that we need to change the auth method to get this working again. Reading through the documentation it would seem to suggest that 3-legged oAuth is what is recommended, but we believe that in our application the standard oAuth flow is not possible because the user is not able to authorize each time they want to update their status (the usual method of creating a blog post is making a phone call).

Can someone confirm that our understanding is correct? Are we correct in thinking that xAuth is what we need? If xAuth is not what we need, can anyone tell us which auth method we should be using and give us an explanation on how it can work with our app?

We have over 1,000 users who wish to use this feature and so we really need to get this up and running again as soon as possible.


xAuth is not what you need. With typical OAuth, you don’t need the user to go through the auth process every time they are about to do something in your application. You walk them through that process once and then persist the resultant access token and use it when making future requests on their behalf. xAuth is just a means to obtain access tokens, but what you do with those access tokens is the same regardless.

Now if you had existing functionality that is no longer working, it’s more than likely you’re just using the wrong API URLs. Make sure that you’ve verified you aren’t using paths like twitter.com/oauth/* or twitter.com/statuses/* and so on – see this FAQ for more info: