How to connect to endpoints using OAuth 2.0 Authorization Code Flow with PKCE
How to connect to the endpoints
To authenticate your users, your App will need to implement an authorization flow. This authorization flow lets you direct your users to an authorization dialog on X. From there, the primary X experience will show the authorization dialog and handle the authorization on behalf of your App. Your users will be able to authorize your App or decline permission. After the user makes their choice, X will redirect the user to your App, where you can exchange the authorization code for an access token (if the user authorized your App), or handle a rejection (if the user did not authorize your App).Working with confidential clients
If you are working with confidential clients, you will need to use a basic authentication scheme for generating an authorization header with base64 encoding while making requests to the token endpoints. Theuserid
and password
are separated by a single colon (”:”) character within a base64 encoded string in the credentials.
An example would look like this:
-header 'Authorization: Basic V1ROclFTMTRiVWhwTWw4M2FVNWFkVGQyTldNNk1UcGphUTotUm9LeDN4NThKQThTbTlKSXQyZm1BanEzcTVHWC1icVozdmpKeFNlR3NkbUd0WEViUA=='
If the user agent wishes to send the Client ID “Aladdin” and password “open sesame,” it would use the following header field:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
To create the basic authorization header you will need to base64 encoding on your Client ID and Client Secret which can be obtained from your App’s “Keys and Tokens” page inside of the developer portal.
Steps to connect using OAuth 2.0
Step 1: Construct an Authorize URL Your App will need to build an authorize URL to X, indicating the scopes your App needs to authorize. For example, if your App needs to lookup Tweets, users and to manage follows, it should request the following scopes:tweet.read%20users.read%20follows.read%20follows.write
The URL will also contain the code_challenge
and state parameters, in addition to the other required parameters. In production you should use a random string for the code_challenge
.
Step 2: GET oauth2/authorize
Have the user authenticate and send the application an authorization code. If you have enabled OAuth 2.0 for your App you can find your Client ID inside your App’s “Keys and Tokens” page.
An example URL to redirect the user to would look like this:
offline.access
scope is requested). You can make a POST request to the following endpoint:
Content-Type
of application/x-www-form-urlencoded
via a header. Additionally, you should have in your request: code
, grant_type
, client_id
and redirect_uri
, and the code_verifier
.
Here is an example token request for a public client:
Content-Type
of application/x-www-form-urlencoded
via a header. In addition, you will also need to pass in your refresh_token, set your grant_type to be a refresh_token
, and define your client_id
.
This request will work for public clients:
Content-Type
of application/x-www-form-urlencoded
via a header, your token, and your client_id.
In some cases, a user may wish to revoke access given to an App, they can revoke access by visiting the connected Apps page.