x-access-level
header in the HTTP response. The value of the header shows the current permission level in use. Possible values are read, read-write, and read-write-directmessages.
callback_url
parameter when making a request to the GET oauth/request_token endpoint. Similarly, developers using OAuth 2.0 Authorization Code with PKCE must pass the redirect_uri
parameter with their request to the GET oauth2/authorize endpoint.
In addition to using these parameters, the developer must also make sure that the callback URL has also been added to their App’s callback URL allowlist, which can be found on the developer portal’s App settings page.
If set up properly, developers will be directed to the callback URL after successfully signing in to X as part of these flows.
callback_url
or redirect_uri
parameters, please make sure that you HTTP encode the URL.
Callback URL limits
There is a hard limit of 10 callback URLs in the X Apps dashboard. Your callback URL should always be an exact match between your allow listed callback URL that you add to the Apps dashboard and the parameter you add in the authorization flow.
If you wish to include request-specific data in the callback URL, you can use the state
parameter to store data that will be included after the user is redirected. It can either encode the data in the state
parameter itself or use the parameter as a session ID to store the state on the server.
Don’t use localhost as a callback URL
Instead of using localhost, please use a custom host locally or http(s)://127.0.0.1
Custom protocol URLs
If you would like to take advantage of mobile deep linking, you can utilize custom protocol URLs with a path and domain part, such as twitter://callback/path. However, we do have a list of disallowed protocols that you will need to avoid. You can review the list of disallowed protocols below.
Disallowed protocols
vbscript | ldap |
javascript | mailto |
vbs | mmst |
data | mmsu |
mocha | msbd |
keyword | rtsp |
livescript | mso-offdap |
ftp | snews |
file | news |
gopher | nntp |
acrobat | outlook |
callto | stssync |
daap | rlogin |
itpc | telnet |
itms | tn3270 |
firefoxurl | shell |
hcp | sip |