Basic authentication is being deprecated beginning on August 16th. After
August 31st, API clients will no longer be able to identify themselves using
only a login and password when accessing the Twitter REST API.
For those that just like to skim, here are the basics:
- Basic Auth will be completely shut off on August 30th.
- Beginning Aug 17, basic auth rate limiting will decrease by 15 requests
on each week day (10% drop per weekday)
- Aug 16, 8am Pacific - we'll shut basic auth temporarily off for 10
- Aug 31, 5pm Pacific - we'll shut basic auth temporarily for 10 minutes
- On August 30th, all basic auth requests will be served with a 401 HTTP
We've discussed at length in the past why this transition is important. We
recognize that it significantly increases the difficulty of working with the
Twitter API. OAuth is not a silver bullet for security, but protects our
users and the platform ecosystem notably better than basic authentication.
Today, non-whitelisted basic authentication GET requests are limited to 150
calls per hour. POST operations, such as tweeting, are not effected by this
limit. Basic auth apps can continue tweeting with impunity until the full
turn off occurs on August 31st.
Beginning August 17th, non-whitelisted basic authentication GET requests
will be limited to 135 calls per hour. We will reduce the number of calls
per hour by 15 each week day until August 31st. This means on August 18th
Basic Authentication will be allowed 120 GET requests per hour, August 19th
105 GET requests per hour and so on. The decrement will happen on each
Monday, Tuesday, Wednesday, Thursday, and Friday until August 31st.
For whitelisted basic auth requests, the decrement will be comparative to
the general ramp down levels -- about 10% of your total rate limit will
decrement every day starting on August 16th. On August 31st, whitelisted
basic auth requests will cease functioning as well.
On August 31st, all basic auth requests will be serviced a 401 HTTP status
You may have noticed that we temporarily shut basic authentication off today
for 10 minutes. We gave minimal notice today, and recognize that more notice
would have been optimal. We will be doing these integration tests a few more
times before the total deprecation date.
The next basic auth switch-off will occur on Monday, August 16th at 8am
Pacific for 10 minutes. After that, we'll do another of these tests on
Thursday, August 19th at 5pm Pacific for another 10 minutes. We'll do more
of these after that, and we'll announce them closer to that time. As always,
follow @twitterapi to keep track in real time.
If you haven't started transitioning your application, we recommend reading
our write up at http://dev.twitter.com/pages/basic_to_oauth and leveraging
the Twitter Developer mailing list when you need assistance.
As always, we're here to help. Let's walk into this new morning together.
Developer Advocate, Twitter Platform