Callback URL

Introduction

Sign in with Twitter allows developers to access Twitter content in order to make it easy for their users to sign in with just a few clicks. Developers use callback URLs as part of this integration in order to provide directions on where a user should go after signing in with their Twitter credentials. This field can be set for each of your different apps on the apps.twitter.com website.

As part of our continued effort to ensure safety and security on the Twitter developer platform, any developer using Sign in with Twitter must explicitly declare their callback URLs in a whitelist on apps.twitter.com. On June 12th, 2018, we will require any callback URLs used with the oauth/request_token endpoint to be whitelisted within your app settings on apps.twitter.com. This means that if the callback_url parameter used with the oauth/request_token endpoint isn't whitelisted, you will receive an error. 

 

What do I need to do before June 12th?

Before we implement this change to the callback URLs on June 12th, 2018, please consider the following to ensure that your users will be able to use your implementation of Sign in with Twitter without experiencing errors.

You can add multiple callback URLs to your whitelist on the app setting page on apps.twitter.com. Up until June 12th, you can enable the setting “Enable Callback Locking” to test that only URLs you have whitelisted are accepted.

Starting June 12th, you will need to whitelist all of the callback URL used with the oauth/request_token endpoint within your app settings in apps.twitter.com.  The “Enable Callback Locking” setting will be removed on this date as well.

Please note: Mobile apps with app-specific protocols must use just the protocol. For example, please use example:// as opposed to example://authorize. Any deep linking will result in the following error:
“The client application failed validation: Not a valid callback URL format.”
 

What will happen if I use a callback URL that hasn't been whitelisted?

After June 12th, if you use a callback URL that hasn't been whitelisted, you will receive the following error message:

HTTP 403 - Forbidden

{
  "errors":
    [
      {"code":415,"message":"Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings."}
    ]
  }

OR

<?xml version="1.0" encoding="UTF-8"?>
<hash>
<error>Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings</error>
<request>/oauth/request_token</request>
</hash>


If you do receive this error message, please check the URL that you are using with the callback_url parameter in your oauth/request_token call and make sure that this URL has been whitelisted in your app settings on apps.twitter.com.