Skip to main content
X delivers chat.received, chat.sent, and related X Chat activity with ciphertext in the payload. Decrypt with the Chat XDK. Private X Chat event types need authorization for the user you monitor. Encrypted X Chat file attachments use media_hash_key and X Chat media download—not Post API expansions=attachments.media_keys / media.fields=variants.

Event types


1. Choose delivery

Activity stream (often simplest for bots): GET /2/activity/stream with an app Bearer token (optional backfill_minutes, start_time, end_time per OpenAPI). Filter client-side for chat.received / chat.sent. Activity subscriptions: manage durable subscriptions with:
  • POST /2/activity/subscriptions — create
  • GET /2/activity/subscriptions — list (paginated)
  • PUT /2/activity/subscriptions/{subscription_id} — update
  • DELETE /2/activity/subscriptions/{subscription_id} or DELETE /2/activity/subscriptions?ids= — delete
Request bodies and required scopes are defined in the OpenAPI operation for each route (typically Bearer for app-level XAA management). Webhooks (Account Activity-style): if you terminate events on your HTTPS endpoint, register a webhook, pass CRC challenges, then create subscriptions under /2/account_activity/webhooks/{webhook_id}/subscriptions/all (see Account Activity operations in OpenAPI). Python/TypeScript XDK may expose helpers for webhooks and activity when your SDK version includes them.
Subscribe to chat.sent as well if you need outbound copies. Other languages: call the same /2/activity/* HTTPS routes with a Bearer token.

2. CRC (webhooks only)

If you use Account Activity webhooks, respond to Challenge-Response Checks (GET crc_token) with HMAC-SHA256 of the token using your consumer secret, in the JSON shape your webhook product expects (typically sha256=<base64>).

3. Decrypt with the Chat XDK

Live fields: payload.encoded_event, optional payload.conversation_key_change_event. Deduplicate on event_uuid. JavaScript uses camelCase event types (message); other bindings use "Message" and snake_case fields.
History: GET /2/chat/conversations/{id}/events + decrypt_events — see Getting Started.

Payload shape (live)


Practices

  • Verify webhook signatures per platform requirements
  • Cache conversation keys and sender public keys
  • Apply key-change blobs before decrypting dependent messages
  • Deduplicate on event_uuid