xAuth API: Bringing a more secure experience to users and developers


At Twitter, we have a system that issues a login challenge when a suspicious login is detected on Twitter. The user gets prompted with a simple question about their account to verify the attempt is legitimate before granting access. On April 30, we are going to begin implementing this same system across third parties in order to further prevent account compromise.

This change affects third parties that use xAuth (If you are using 3-legged OAuth or Fabric you will not be affected). Once we implement the change, when a suspicious login is detected from your site or app that uses xAuth to authenticate, the user will not be able to log in and will receive an email from Twitter with a temporary passcode, which they will need to enter in order to log in to continue using your service. API error code 329 is what you’ll see when a suspicious login is detected from one of your users.

In order to minimize confusion for your users we recommend you surface a helpful error message. Switching from xAuth to 3-legged OAuth will also alleviate any service disruptions.




This topic is no longer a banner. It will no longer appear at the top of every page.