The V2 Webhooks API enables developers to receive real-time event notifications from X accounts via webhook-based JSON messages. These APIs allow you to register and manage webhooks, develop consumer applications to process events, and ensure secure communication through challenge-response checks (CRC) and signature headers.
Tier | Pricing | Number of webhooks |
---|---|---|
Self-Serve Pro | $5000/mo | 1 |
Enterprise | Contact sales | 5+ |
These are the products that currently support delivering events via webhook:
The Account Activity API provides you webhook-based JSON messages any time there are events associated with X accounts subscribed to your service. X delivers those activities to your registered webhook. In the following steps, you will learn how to manage webhooks and subscribed users.
You will learn how to register, view, and remove, both webhooks and subscribed users. We’ll be using simple cURL commands to make requests to the various API endpoints. cURL is a command-line tool for getting or sending requests using the URL syntax.
There are several details that need attention before you can start receiving webhook events in your event consumer application. As described below, you will need to create an X app, obtain Account Activity API access, and develop a web app that consumes webhook events.
In order to register a new webhook associated with your X app, you’ll need to develop, deploy and host a web app that receives X webhook events, and responds to our security requests.
Before you get started, we recommend checking out our sample apps!
For testing purposes, the xurl tool now supports temporary webhooks! Install the latest version of the xurl
project from GitHub, configure your authorization, then run:
This will generate a temporary public webhook URL, automatically handle all CRC checks, and log any incoming subscription events. It’s a great way to verify your setup before deploying. Example output:
Important Notes
When registering your webhook URL, your web app needs to use your app’s consumer secret for the encryption of the CRC check.
All incoming Direct Messages will be delivered via webhooks. All Direct Messages sent via POST /2/dm_conversations/with/:participant_id/messages will also be delivered via webhooks. This is so your web app can be aware of Direct Messages sent via a different client.
If you have more than one web app sharing the same webhook URL and the same user mapped to each app, the same event will be sent to your webhook multiple times (once per web app).
In some cases, your webhook may receive duplicate events. Your webhook app should be tolerant of this and dedupe by event ID.
See example code:
X’s webhook-based APIs provide two methods for confirming the security of your webhook server:
See the CRC Check section for implementation requirements.
Webhooks are managed through the Webhook Management API. All endpoints require OAuth2 App Only Bearer Token authentication.
POST /2/webhooks
Description:
Create a webhook configuration. Your publicly accessible https
callback URL must be passed in the JSON body.
Let’s begin with registering a new webhook URL for the given application context.
Authentication:
OAuth2 App Only Bearer Token
<BEARER_TOKEN>
e.g. AAAAAAAAAAAA0%2EUifi76ZC9Ub0wn...
Parameters (JSON Body):
<URL>
e.g. https://yourdomain.com/webhooks/twitter/
Request: Copy the following cURL request into your command line after making changes to the following:
Responses:
Success (200 OK)
A successful response indicates the webhook was created and the initial CRC check passed.
Failure (400 Bad Request)
Failures return a standard error object.
Common reasons for failure include:
Reason | Description |
---|---|
CrcValidationFailed | The callback URL did not respond correctly to the CRC check (e.g., timed out, wrong response). |
UrlValidationFailed | The callback URL provided does not meet requirements (e.g., not https , invalid format). |
DuplicateUrlFailed | A webhook is already registered by your application for the provided callback URL. |
WebhookLimitExceeded | Your application has reached the maximum number of allowed webhook configurations. |
GET /2/webhooks
Description: Retrieve all webhook configurations associated with your application (developer account).
Authentication:
OAuth2 App Only Bearer Token
<BEARER_TOKEN>
e.g. AAAAAAAAAAAA0%2EUifi76ZC9Ub0wn...
Parameters (JSON Body):
<URL>
e.g. https://yourdomain.com/webhooks/twitter/
Request: Run the following command to retrieve all registered webhook URLs and their statuses for the given application.
Copy the following cURL request into your command line after making changes to the following:
Success (200 OK)
Returns a list of webhook configurations. The list will be empty if no webhooks are configured.
Example (with one webhook configured):
Example (with no webhooks configured):
DELETE /2/webhooks/:webhook_id
Description: Delete a webhook configuration using its specific webhook_id
. The ID can be obtained from the POST /2/webhooks
creation response or the GET /2/webhooks
listing response.
Authentication:
OAuth2 App Only Bearer Token
<BEARER_TOKEN>
e.g. AAAAAAAAAAAA0%2EUifi76ZC9Ub0wn...
Path Parameters:
Parameter | Description |
---|---|
webhook_id | The ID of the webhook to delete. |
Request: Run the following command to remove the webhook from the provided application’s configuration.
Copy the following cURL request into your command line after making changes to the following:
Success (200 OK)
Returns a json response with “deleted” status true if successfully deleted.
Example (with successful deletion of webhook):
Failure (400 Bad Request)
Reason | Description |
---|---|
WebhookIdInvalid | The provided webhook_id was not found or is not associated with your app. |
PUT /2/webhooks/:webhook_id
Description: Triggers the challenge response check (CRC) for the given webhook’s URL. If the check is successful, returns 200 and reenables the webhook by setting its status to valid
.
Authentication:
OAuth2 App Only Bearer Token
<BEARER_TOKEN>
e.g. AAAAAAAAAAAA0%2EUifi76ZC9Ub0wn...
Path Parameters:
Parameter | Description |
---|---|
webhook_id | The ID of the webhook to validate. |
Request: Run the following command to validate the webhook from the provided application’s configuration.
Copy the following cURL request into your command line after making changes to the following:
Success (200 OK)
A 200 OK response indicates that the CRC check request was initiated. It does not guarantee that the CRC check passed. The valid
field in the response reflects the status after the check attempt. If the CRC check succeeds, the webhook’s status will be updated to valid. You can verify the current status using GET /2/webhooks
.
Failure (400 Bad Request)
Reason | Description |
---|---|
WebhookIdInvalid | The provided webhook_id was not found or is not associated with your app. |
CrcValidationFailed | The callback URL did not respond correctly to the CRC check request. |
The Challenge Response Check (CRC) is how X validates that the callback URL you provided is valid and that you control it.
When CRC is triggered:
POST /2/webhooks
)PUT /2/webhooks/:id
Example:
Example JSON Response Body:
How to Build the Response:
The V2 Webhooks API enables developers to receive real-time event notifications from X accounts via webhook-based JSON messages. These APIs allow you to register and manage webhooks, develop consumer applications to process events, and ensure secure communication through challenge-response checks (CRC) and signature headers.
Tier | Pricing | Number of webhooks |
---|---|---|
Self-Serve Pro | $5000/mo | 1 |
Enterprise | Contact sales | 5+ |
These are the products that currently support delivering events via webhook:
The Account Activity API provides you webhook-based JSON messages any time there are events associated with X accounts subscribed to your service. X delivers those activities to your registered webhook. In the following steps, you will learn how to manage webhooks and subscribed users.
You will learn how to register, view, and remove, both webhooks and subscribed users. We’ll be using simple cURL commands to make requests to the various API endpoints. cURL is a command-line tool for getting or sending requests using the URL syntax.
There are several details that need attention before you can start receiving webhook events in your event consumer application. As described below, you will need to create an X app, obtain Account Activity API access, and develop a web app that consumes webhook events.
In order to register a new webhook associated with your X app, you’ll need to develop, deploy and host a web app that receives X webhook events, and responds to our security requests.
Before you get started, we recommend checking out our sample apps!
For testing purposes, the xurl tool now supports temporary webhooks! Install the latest version of the xurl
project from GitHub, configure your authorization, then run:
This will generate a temporary public webhook URL, automatically handle all CRC checks, and log any incoming subscription events. It’s a great way to verify your setup before deploying. Example output:
Important Notes
When registering your webhook URL, your web app needs to use your app’s consumer secret for the encryption of the CRC check.
All incoming Direct Messages will be delivered via webhooks. All Direct Messages sent via POST /2/dm_conversations/with/:participant_id/messages will also be delivered via webhooks. This is so your web app can be aware of Direct Messages sent via a different client.
If you have more than one web app sharing the same webhook URL and the same user mapped to each app, the same event will be sent to your webhook multiple times (once per web app).
In some cases, your webhook may receive duplicate events. Your webhook app should be tolerant of this and dedupe by event ID.
See example code:
X’s webhook-based APIs provide two methods for confirming the security of your webhook server:
See the CRC Check section for implementation requirements.
Webhooks are managed through the Webhook Management API. All endpoints require OAuth2 App Only Bearer Token authentication.
POST /2/webhooks
Description:
Create a webhook configuration. Your publicly accessible https
callback URL must be passed in the JSON body.
Let’s begin with registering a new webhook URL for the given application context.
Authentication:
OAuth2 App Only Bearer Token
<BEARER_TOKEN>
e.g. AAAAAAAAAAAA0%2EUifi76ZC9Ub0wn...
Parameters (JSON Body):
<URL>
e.g. https://yourdomain.com/webhooks/twitter/
Request: Copy the following cURL request into your command line after making changes to the following:
Responses:
Success (200 OK)
A successful response indicates the webhook was created and the initial CRC check passed.
Failure (400 Bad Request)
Failures return a standard error object.
Common reasons for failure include:
Reason | Description |
---|---|
CrcValidationFailed | The callback URL did not respond correctly to the CRC check (e.g., timed out, wrong response). |
UrlValidationFailed | The callback URL provided does not meet requirements (e.g., not https , invalid format). |
DuplicateUrlFailed | A webhook is already registered by your application for the provided callback URL. |
WebhookLimitExceeded | Your application has reached the maximum number of allowed webhook configurations. |
GET /2/webhooks
Description: Retrieve all webhook configurations associated with your application (developer account).
Authentication:
OAuth2 App Only Bearer Token
<BEARER_TOKEN>
e.g. AAAAAAAAAAAA0%2EUifi76ZC9Ub0wn...
Parameters (JSON Body):
<URL>
e.g. https://yourdomain.com/webhooks/twitter/
Request: Run the following command to retrieve all registered webhook URLs and their statuses for the given application.
Copy the following cURL request into your command line after making changes to the following:
Success (200 OK)
Returns a list of webhook configurations. The list will be empty if no webhooks are configured.
Example (with one webhook configured):
Example (with no webhooks configured):
DELETE /2/webhooks/:webhook_id
Description: Delete a webhook configuration using its specific webhook_id
. The ID can be obtained from the POST /2/webhooks
creation response or the GET /2/webhooks
listing response.
Authentication:
OAuth2 App Only Bearer Token
<BEARER_TOKEN>
e.g. AAAAAAAAAAAA0%2EUifi76ZC9Ub0wn...
Path Parameters:
Parameter | Description |
---|---|
webhook_id | The ID of the webhook to delete. |
Request: Run the following command to remove the webhook from the provided application’s configuration.
Copy the following cURL request into your command line after making changes to the following:
Success (200 OK)
Returns a json response with “deleted” status true if successfully deleted.
Example (with successful deletion of webhook):
Failure (400 Bad Request)
Reason | Description |
---|---|
WebhookIdInvalid | The provided webhook_id was not found or is not associated with your app. |
PUT /2/webhooks/:webhook_id
Description: Triggers the challenge response check (CRC) for the given webhook’s URL. If the check is successful, returns 200 and reenables the webhook by setting its status to valid
.
Authentication:
OAuth2 App Only Bearer Token
<BEARER_TOKEN>
e.g. AAAAAAAAAAAA0%2EUifi76ZC9Ub0wn...
Path Parameters:
Parameter | Description |
---|---|
webhook_id | The ID of the webhook to validate. |
Request: Run the following command to validate the webhook from the provided application’s configuration.
Copy the following cURL request into your command line after making changes to the following:
Success (200 OK)
A 200 OK response indicates that the CRC check request was initiated. It does not guarantee that the CRC check passed. The valid
field in the response reflects the status after the check attempt. If the CRC check succeeds, the webhook’s status will be updated to valid. You can verify the current status using GET /2/webhooks
.
Failure (400 Bad Request)
Reason | Description |
---|---|
WebhookIdInvalid | The provided webhook_id was not found or is not associated with your app. |
CrcValidationFailed | The callback URL did not respond correctly to the CRC check request. |
The Challenge Response Check (CRC) is how X validates that the callback URL you provided is valid and that you control it.
When CRC is triggered:
POST /2/webhooks
)PUT /2/webhooks/:id
Example:
Example JSON Response Body:
How to Build the Response: