Twitter OAuthcalypse Coming Soon

Matthew Casperson, April 28th, 2010

TwitterBack in the good old days things were a lot simpler. You didn’t have to worry about packet capturing or password extracting, and as a result a lot of the original protocols like HTTP, FTP and POP3 didn’t worry about sending your passwords over the wire in plain text. But in today’s increasingly sophisticated API-driven world this isn’t enough.

For developers storing a username and password and sending them to a web server was easy – most APIs and libraries included simple username and password fields. This most common form of this kind of authentication, typically known as HTTP basic authentication, has been available to users of the Twitter API for some time now, and its convenience has made it more attractive than secure protocols like OAuth for a number of developers. However, on June 30th Twitter will be shutting off basic authentication:

You’re going to be hearing a lot from me over the next 9 weeks.  Our plan is to turn off basic authorization on the API by June 30, 2010 — developers will have to switch over to OAuth by that time.  Between now and then, there will be a *lot* of information coming along with tips on how to use OAuth Echo, xAuth, etc.  We really want to make this transition as easy as we can for everybody.

As always, please feel free to reach out to this group, or to @twitterapi directly.  if you need help remembering the date -

And as noted above the Twitter team has even created a handy countdown clock to help you count the days:

The change will only affect the REST API, while the streaming API will continue to support basic authentication.

The effect of the change is not limited to small hobby projects – popular Twitter clients like TweetDeck have traditionally used basic authentication (although they have made the switch to OAuth). While Twitter will provide a lot of documentation and support for the change over to OAuth, the onus is still on developers to make the required changes, and there are lots of mashups that make use of the Twitter API.

Both comments and pings are currently closed.

10 Responses to “Twitter OAuthcalypse Coming Soon”

April 28th, 2010
at 1:20 pm
Comment by: Joe Molloy

I’m delighted to hear this news. It will somewhat raise the entry barrier to those scripting against Twitter and I’m sure in the process deter many who abuse the service for their own ends.

May 7th, 2010
at 10:03 am
Comment by: Office links for April

[...] developers beware! Their API authentication is becoming more sophisticated. Programmable Web reports that Twitter's REST API will require OAuth authentication starting in June of this year. [...]

May 20th, 2010
at 5:25 pm
Comment by: David Beckemeyer

For small hobby projects, we built an API – It’s a Twitter proxy – you use Basic Auth to talk to the proxy, and it uses OAuth to talk to Twitter. Easy peasy.

May 24th, 2010
at 2:23 am
Comment by: Hacker Confronts the Coming Twitter OAuthcopalyse with SuperTweet

[...] Beckemeyer (Mr Blog) did when his tweeting garage door opener was threatened by the approaching OAuthpocalypse. This date with destiny for all Twitter programmers is the planned June 30th cutoff of basic [...]

July 26th, 2010
at 5:46 am
Comment by: Twitter OAuth Countdown Hits Three Weeks

[...] the side, that’s just three more weekends of hacking to upgrade apps to OAuth. The original deadline was June 30, but Twitter later postponed to [...]

August 16th, 2010
at 2:05 pm
Comment by: Twitter Basic Auth Will Truly Disappear August 30

[...] users make happier developers, but Twitter also has given developers plenty of time. The move was first announced in April. For developers in need of help moving to OAuth, Twitter has a guide. Related ProgrammableWeb [...]

August 31st, 2010
at 3:28 pm
Comment by: OAuth-only Twitter: What it Means for JavaScript Apps

[...] have had plenty of warning. Twitter first announced the move in April, then extended the deadline from June to August and finally implemented a gradual phase-out. [...]

September 3rd, 2010
at 2:22 am
Comment by: Twitter API Changes Causing Some User Headaches

[...] has gone OAuth-only and it is judgement day for the scores of Twitter apps still using basic authentication. Developers [...]

December 9th, 2010
at 10:36 am
Comment by: Foursquare API v2 is Public, v1 Deprecated | Another Newyork Times

[...] Twitter went OAuth-only over the summer, in what some frustrated developers forced to retool their applications called the “OAuthocalypse”. Facebook’s Graph API, launched back in April and replacing the service’s older APIs, has used OAuth from the start. With the popularity of Foursquare mashups, we might see similar OAuthocalypse issues when the location startup shuts off v1 of its API in mid 2011. [...]

May 18th, 2011
at 6:25 pm
Comment by: Twitter Extends New OAuth Deadline For Apps Accessing Direct Messages

[...] Twitter shut off basic authentication last year, it gave over four months notice, though the original heads up was half that. The company [...]

Follow the PW team on Twitter

APIs, mashups and code. Because the world's your programmable oyster.

John Musser
Founder, ProgrammableWeb

Adam DuVander
Executive Editor, ProgrammableWeb. Author, Map Scripting 101. Lover, APIs.