New developer requirements to protect our platform

Since 2006, Twitter’s APIs have given developers the opportunity to tap into what’s happening in the world. We’re continually amazed by the innovative and helpful use cases developers discover for the Twitter platform: from the town of Jun in Spain that runs on Twitter, to sharing critical information during severe weather, to all the companies creating powerful tools to help businesses get the most out of Twitter. And, of course, we’ve seen developers use our platform to learn how to code, build careers in data science, and produce delightful and fun experiences on Twitter — like Pentametron, a bot that finds rhyming pairs of Tweets that would make Shakespeare proud.

As we’ve outlined in our API platform roadmap, we’re committed to providing access to our platform to developers whose products and services make Twitter a better place. However, recognizing the challenges facing Twitter and the public — from spam and malicious automation to surveillance and invasions of privacy — we’re taking additional steps to ensure that our developer platform works in service of the overall health of conversation on Twitter.

We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter. Between April and June 2018, we removed more than 143,000 apps which violated our policies, and we’re continuing to invest in building out improved tools and processes to help us stop malicious apps faster and more efficiently. To this end, in addition to continuing our work to remove problematic apps after they're already active, we are taking steps to limit the access these apps have to our platform in the first place.

Today, we’re introducing a new way for all developers to request access to Twitter’s APIs, along with upcoming changes to increase accountability for apps creating and engaging with content and accounts on Twitter at high volumes. These changes enable us to have more visibility and control over how developers use our platform and public data from the people using our service, and are intended to help address spam and platform abuse and keep the Twitter service safe and secure for everyone.

A new app registration process

Our new developer account application process – which we initially launched in November – includes use case reviews and policy compliance checks, as well as new protections to prevent the registration of spammy and low-quality apps. Starting today, all new requests for access to Twitter’s standard and premium APIs are required to go through this process. While this change adds a few steps and some additional time to the process of getting started with access to our APIs, we’re committed to supporting all developers who want to build high-quality, policy-compliant experiences using our developer platform and APIs, while reducing the impact of bad actors on our service.

Here’s what these changes mean for developers:

• Beginning today, anyone who wants access to Twitter’s APIs should apply for a developer account using the new developer portal at developer.twitter.com. Once your application has been approved, you’ll be able to create new apps and manage existing apps on developer.twitter.com. Existing apps can also still be managed on apps.twitter.com.

• Eventually, all developers with existing access to our APIs will be required to complete a developer account application in order to maintain their apps. We will provide at least a 90-day notice before enforcing this requirement. We may opt to retire apps.twitter.com before enforcing that requirement; in that case, we will ensure developers have access to manage their apps on developer.twitter.com, even if they have not yet started the application process.
• When applying, all developers will be required to provide detailed information about how they use or intend to use Twitter’s APIs so that we can better ensure compliance with our policies. You can help expedite your application approval by providing complete details up front. Applications submitted with incomplete or insufficient information may be delayed while we request further information from a developer. Applications that do not comply with Twitter’s policies will be rejected.
• Following application approval, you may be required to undergo additional, more rigorous policy reviews if you change your app’s use of Twitter’s APIs or request access to additional products or features, including the ability to post content to Twitter frequently or at high volumes (see below).
• We’re also limiting the default number of apps you may have registered by a single developer account to 10. Developers who need to register more than 10 apps — for instance, to enable client-specific products which require distinct apps —  can request permission using the API Policy support form. If you already have more than 10 apps registered, you can continue to use them as long as they comply with our rules but you won’t be able to register new apps until you either request permission for additional apps or delete unused ones.

We know this new process adds extra steps and time to get started with development. Our aim is to continue to build a platform where Twitter developers who comply with our policies can get started quickly and scale up, with little to no friction. We are taking these steps to protect accounts while we work toward that goal and determine how best to balance holding developers accountable to our policies with helping developers get started easily.

New rate limits for POST endpoints

Alongside changes to the developer account application process, we’re introducing new default app-level rate limits for common POST endpoints, as well as a new process for developers to obtain high volume posting privileges. These changes will help cut down on the ability of bad actors to create spam on Twitter via our APIs, while continuing to provide the opportunity to build and grow an app or business to meaningful scale. These changes only impact a small percentage of apps active in our ecosystem today, but will apply to all apps that create Tweets, Retweets, likes, follows, or Direct Messages.

Here’s what’s changing:

• On September 10th, 2018, we will be adding new default app-level rate limits that will apply to all requests to create Tweets, Retweets, likes, follows, or Direct Messages. This change represents a significant decrease in the existing rate of POST activity allowed from a single app by default. Any policy-compliant developer can maintain existing levels of access or gain elevated access through a new request process.
• The new default limits for each endpoint are outlined below and will apply in addition to existing user-level rate limits for these actions. By default, an app (across all of its users) will be limited to:

  - Tweets & Retweets (combined): 300 per 3 hours
  - Likes: 1000 per 24 hours
  - Follows: 1000 per 24 hours
  - Direct Messages: 15,000 per 24 hours

• We will remove this default app-level restriction for any apps that have a valid need for increased access, returning access to the same level allowed today (user-level rate limits only). Developers will need to submit a request and we will review details before granting increased access. We may ask for clarifying information as part of this process (for example, confirming that specific features of a product are fully compliant with the Automation Rules).
• To make this change minimally disruptive, we are proactively conducting policy reviews of potentially impacted apps and will contact eligible developers with instructions about how to request elevated access so that their apps are not affected on September 10th. To ensure that we are able to contact you, please verify that the email address on the Twitter account linked to your app is up-to-date and has been confirmed.
• Going forward, as apps approach these rate limits, we’ll continue to proactively review and contact developers with instructions about how to request elevated access. These ongoing reviews will help avoid disruption for compliant developers, as well as help developers more quickly identify and address any behaviors that are non-compliant with our policies.
• You can request additional information about this rate limit at any time using the API Policy support form. If you are getting ready to launch an app that is likely to exceed these rate limits and want to request a review in advance, please reach out using the same form.

While we generally like to provide a longer timeline for developers to prepare for changes like these, we are accelerating this change because protecting our platform and people using Twitter from abuse and manipulation is our highest priority. Despite the accelerated timeline, we want to ensure developers have time to submit the necessary information, and that we can complete all reviews with minimal disruption to policy-compliant apps.

Reporting bad apps

Finally, we’re also introducing a new option for people to report suspected violations of our platform policies to us for review. You can use the “Report a bad app” option in our Help Center to report uses of our APIs which produce spam, invade user privacy, or otherwise violate our rules.

To learn more about our policies and how we’ll be evaluating applications, please review the Twitter Developer Agreement, Developer Policy, Automation Rules, and Restricted Uses documentation. You can also ask questions about these policies using the Rules and Policies category in the Developer Forums.

To stay up-to-date with developer platform updates, please follow Tweets from @TwitterDev and subscribe to developer news from our other channels. To see what’s coming, follow our developer platform roadmap.