Twitter Authentication Code Problem

[Alayna Rother]

NoteIf your account has SMS text message two-factor authentication turned on (and when it is the only two-factor option turned on) and you're still logged in, you can remove your phone from your Mobile settings on X.com. Click Delete my phone and two-factor authentication will be automatically turned off for your account.

A backup code is automatically generated for you when you turn on two-factor authentication through your iOS or Android X app. You can also generate a backup code on twitter.com. Write down, print or take a screenshot of this backup code. In the event that you lose your mobile device or change your phone number, you can use this backup code to log in to your account. Backup codes are not the same as temporary passwords.

Note: You can generate up to five active backup codes at any given time. Be sure to use the codes in the order in which you generated them; using a code out of order will invalidate all previously generated codes.

Following two weeks of extreme chaos at Twitter, users are joining and fleeing the site in droves. More quietly, many are likely scrutinizing their accounts, checking their security settings, and downloading their data. But some users are reporting problems when they attempt to generate two-factor authentication codes over SMS: Either the texts don't come or they're delayed by hours.

I am building a Twitter bot in MicroPython to run on a NodeMCU ESP8266 board. MicroPython doesn't have support for OAuth 1.0 requests out of the box, so I had to roll my own.I've been following these write-ups to build my program:

The return value of cls.__create_auth_header(...) is an "OAuth" string, like the one at the end of link #1 above. I have validated that my implementation of the HMAC-SHA1 algorithm produces the same output from the sample data in link #2 up above. I was able to send the same response through PostMan, so my API keys are valid.

I ended up finding the fix for my problem. The main problem was I wasn't percent encoding my value for oauth_signature. However, even after that I was getting a new error, "errors":["code":32,"message":"Could not authenticate you."].

However when I was debugging the request using PostMan it was working. I realized that Postman couldn't know to add that include_entities entry when it is calculating the signature. Lo and behold when I removed that key from this dictionary, the error went away.

Error responses are served with a non-200-series HTTP code. Different error codes indicate different reasons for an error. The X API attempts to return appropriate HTTP status codes for every request.

The request was invalid or cannot be otherwise served. An accompanying error message will explain further. Requests without authentication or with invalid query parameters are considered invalid and will yield this response.

Double check the format of your JSON query. For example, if your rule contains double-quote characters associated with an exact-match or other operator, you may need to escape them using a backslash to distinguish them from the structure of the JSON format. Read more.

Returned when an invalid format is specified in the request. Generally, this occurs where your client fails to properly include the headers to accept gzip encoding, but can occur in other circumstances as well.

Check that you have created at least one rule on the stream you are connecting to. Filtered stream will only return Posts that match an active rule. If there are no rules, the stream will not return any Posts.

When an error is incurred during a request, detailed information about the error is returned in the response body to aid in diagnosing the problem. A type field, which is a URI, indicates the nature of the problem, while additional fields provide details about the problem. The type, title, and detail fields will always be returned in these bodies (see table below). Any additional fields, as in the example below, will vary depending on the type of the error.

In some cases you may see the errors detailed above in a response that returned a 200 status code. In those cases, the endpoint is designed to return the data that it can, while providing detailed errors about what it could not return.

For example, the Posts lookup endpoint allows a X developer App to request more than one ID. If some of those Posts are available, but one of them has been deleted, the available Posts would be returned in the data field of the response. An additional errors field would be returned in the payload, indicating which requested Post(s) could not be returned. The same format is used as full request errors to make diagnosing issues easier.

Read the accompanying error message. This should give you a good indication of what the problem is. Use the tables in the error and response codes section for troubleshooting tips specific to each error code.

Review our documentation for additional information on rate limits, including how to use HTTP headers to track where your App is at for a given rate limit, how to recover from a rate limit 429 error code, and tips to avoid being rate limited in the first place:

If you've received the specific "Usage cap exceeded: Monthly product cap" error, that means you've hit the Post cap for your access level. We have plenty of details on what these Post caps are on our documentation page.

Were you connected to the stream when the Post was sent? Remember that the timestamp delivered in the Post object indicates time in UTC. If you experienced a disconnect when the Post was sent, review the recovery and redundancy features available to backfill any missed data.

Free/Pro/Basic - Make sure you have an approved developer account, have established a dev environment for the Account Activity API. You must use the proper environment name and App tokens in your request.

Enterprise - Make sure the consumer keys and access tokens you are using belong to a X App that has been allowlisted for use of Enterprise products. If you don't have your consumer keys and access tokens, or need to allowlist your X App, please reach out to your account manager.

If you are trying to register a webhook, the POST :env_name/webhooks endpoint requires that you replace :env_name with your environment name in the request. Also, this endpoint requires that you authenticate using OAuth1.0a User Context, meaning that you need to use the consumer keys and access tokens generated by the X App that you selected as your designated dev environment.

If the tokens' permission level is set to anything less than this, please navigate to the 'Permissions' tab, adjust the access permission to 'Read, write, and direct messages', then regenerate your access tokens and secret from the 'Keys and tokens' tab.

Free/Basic/Pro - Make sure that you have an approved developer account before you try to make a request to the API. You also must use the proper :env_name in the request, which you can set up on the dev environments section of your developer portal.

The App that you are using with the API does not have the proper permission level set for its access token and access token secret. Please navigate to the 'Keys and tokens' tab on the X Apps dashboard and check the permission levels assigned to your access token and access token secret. If it is set to anything other than 'Read, write and Direct Messages,' then you are going to have to adjust the settings under the 'Permission' tab and regenerate your access token and access token secret to apply the new settings.

Alternatively, you are trying to register a webhook using OAuth 2.0 Bearer Token authentication, which is not supported. Please authenticate with OAuth1.0a User Context instead as noted in the API reference sections for registering a webhook for enterprise Account Activity API and premium Account Activity API.

We allow delivery to get behind for a period of time, and we have a temporary staging buffer amount for each stream on our side; but if you don't catch up, we initiate a disconnect to allow you to reconnect at the current point in time. Please note that this may lead to data loss (for data that is within the buffer at the time of the full buffer disconnect).

If you are an enterprise customer using v1.1 endpoints, you can find out more about optimizing your App to prevent disconnects like this in our articles on connection and on consuming streaming data here and here.

There is a range of tools available for retrieving missed Posts due to a disconnect, including the ones listed below. Note that the following tools are only available with v1.1 endpoints at enterprise level of access.

The following table describes the codes which may appear when working with the X API (note that the Ads API and some other resource families may present additional error codes). If an error response is not listed in the table, fall back to examining the HTTP status codes above in order to determine the best way to address the issue. Please also use the above tables for troubleshooting tips for each corresponding HTTP status code.

Corresponds with HTTP 403. Thrown when one of the values passed to the update_profile.json endpoint exceeds the maximum value currently permitted for that field. The error message will specify the allowable maximum number of nn characters.

Corresponds with HTTP 403. Thrown when a user cannot follow another user due to reaching the limit. This limit is applied to each user individually, independent of the Apps they use to access the X platform.

Corresponds with HTTP 403. Thrown when a Post cannot be posted due to the user having no allowance remaining to post. Despite the text in the error message indicating that this error is only thrown when a daily limit is reached, this error will be thrown whenever a posting limitation has been reached. Posting allowances have roaming windows of time of unspecified duration.

Corresponds with HTTP 403. We constantly monitor and adjust our filters to block spam and malicious activity on the X platform. These systems are tuned in real-time. If you get this response our systems have flagged the Post or Direct Message as possibly fitting this profile. If you believe that the Post or DM you attempted to create was flagged in error, report the details by filing a ticket at

3a8082e126