Basic authentication is being deprecated beginning on August 16th. After August 31st, API clients will no longer be able to identify themselves using only a login and password when accessing the Twitter REST API.
For those that just like to skim, here are the basics:
- Basic Auth will be completely shut off on August 30th.
- Beginning Aug 17, basic auth rate limiting will decrease by 15 requests on each week day (10% drop per weekday)
- Aug 16, 8am Pacific - we'll shut basic auth temporarily off for 10 minutes
- Aug 31, 5pm Pacific - we'll shut basic auth temporarily for 10 minutes
- On August 30th, all basic auth requests will be served with a 401 HTTP status code.
We've discussed at length in the past why this transition is important. We recognize that it significantly increases the difficulty of working with the Twitter API. OAuth is not a silver bullet for security, but protects our users and the platform ecosystem notably better than basic authentication.
Today, non-whitelisted basic authentication GET requests are limited to 150 calls per hour. POST operations, such as tweeting, are not effected by this limit. Basic auth apps can continue tweeting with impunity until the full turn off occurs on August 31st.
Beginning August 17th, non-whitelisted basic authentication GET requests will be limited to 135 calls per hour. We will reduce the number of calls per hour by 15 each week day until August 31st. This means on August 18th Basic Authentication will be allowed 120 GET requests per hour, August 19th 105 GET requests per hour and so on. The decrement will happen on each Monday, Tuesday, Wednesday, Thursday, and Friday until August 31st.
For whitelisted basic auth requests, the decrement will be comparative to the general ramp down levels -- about 10% of your total rate limit will decrement every day starting on August 16th. On August 31st, whitelisted basic auth requests will cease functioning as well.
On August 31st, all basic auth requests will be serviced a 401 HTTP status code.
You may have noticed that we temporarily shut basic authentication off today for 10 minutes. We gave minimal notice today, and recognize that more notice would have been optimal. We will be doing these integration tests a few more times before the total deprecation date.
The next basic auth switch-off will occur on Monday, August 16th at 8am Pacific for 10 minutes. After that, we'll do another of these tests on Thursday, August 19th at 5pm Pacific for another 10 minutes. We'll do more of these after that, and we'll announce them closer to that time. As always, follow @twitterapi to keep track in real time.
As always, we're here to help. Let's walk into this new morning together.
Developer Advocate, Twitter Platform