Callback URLs

3rd-party authentication allows developers to verify or act on behalf of different Twitter users if those users work through a sign-in flow. Currently, there are two flows that you can use to enable users to authorize your application:

 

 

As those users work through this flow, they need a webpage or location to be sent to after they have successfully logged in and provided authorization to the developer's App. This follow-up webpage or location is called a callback URL. Developers use callback URLs as part of this integration in order to provide a direction to users after signing in with their Twitter credentials to their App.

As part of our continued effort to ensure safety and security on the Twitter developer platform, any developer using Sign in with Twitter must explicitly declare their callback URLs in their Twitter Apps settings, which can be accessed in the dashboard when logged into your Twitter account on developer.twitter.com. This means that if the value passed with thecallback_url  parameter to the GET oauth/request_token endpoint isn't added to the allow list within your App's settings, you will receive an error.
 

Best Practices

When you are setting up your callback URLs, there are a few things that you should keep in mind:

Need more than 10 callback URLs?
There is a hard limit of 10 callback URLs in the Twitter Apps dashboard. Please make sure to combine your callback URLs into a single address and use query strings in your oauth/request_token request.

Do not add query strings to your callback URLs in your Twitter app’s configuration
Twitter will allow you to pass any standard query strings along with your callback URL in your oauth/request_token request. Therefore, we do not allow you to add query strings to the end of the callback URL that you list in the Twitter Apps dashboard.
Example:

  • You want to use https://yourdomain.com?source=twitter as your callback URL
    • Add this to the Twitter App dashboard: https://yourdomain.com
    • Use this in your call to oauth/request_token: https://yourdomain.com?source=twitter
       

Don’t use localhost as a callback URL
Instead of using localhost, please use a custom host locally or http(s)://127.0.0.1

Mobile apps with app-specific protocols must use just the protocol
Example:

  • You want to use example://authorize as your callback URL

 

Using an exact match is also a best practice for OAuth 1.0a and required for OAuth 2.0.

 

Error Example

If you use a callback URL that hasn't been properly added to your App’s settings in the developer portal, you will receive the following error message:

HTTP 403 - Forbidden

{
  "errors":
    [
      {"code":415,"message":"Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings."}
    ]
  }

 

OR

<?xml version="1.0" encoding="UTF-8"?>
<hash>
<error>Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings</error>
<request>/oauth/request_token</request>
</hash>

 

For OAuth 2.0, the following 400 level error will be returned:

{
"error": "invalid_request",
"error_description": "Value passed for the redirect uri did not match the uri of the authorization code."
}


If you do receive this error message, please check the URL that you are using with the callback_url/redirect uri parameter in your oauth/request_token (OAuth1.0a) or authorize URL (OAuth2.0) call and make sure that this URL has been added to the allow list in your Twitter App settings.