Callback URLs

3rd-party authentication (sometimes known as sign in with Twitter) allows developers to access Twitter content in order to make it easy for their users to sign in with just a few clicks. Developers use callback URLs as part of this integration in order to provide directions on where a user should go after signing in with their Twitter credentials.

As part of our continued effort to ensure safety and security on the Twitter developer platform, any developer using Sign in with Twitter must explicitly declare their callback URLs in the Twitter Apps settings which can be accessed in the dashboard when logged into your Twitter account on developer.twitter.com. This means that if the callback_url  parameter used with the oauth/request_token endpoint isn't added to the allow list, you will receive an error.
 

Best Practices

When you are setting up your callback URLs, there are a few things that you should keep in mind:

Need more than 10 callback URLs?
There is a hard limit of 10 callback URLs in the Twitter Apps dashboard. Please make sure to combine your callback URLs into a single address and use query strings in your oauth/request_token request.

Do not add query strings to your callback URLs in your Twitter app’s configuration
Twitter will allow you to pass any standard query strings along with your callback URL in your oauth/request_token request. Therefore, we do not allow you to add query strings to the end of the callback URL that you list in the Twitter Apps dashboard.
Example:

  • You want to use https://yourdomain.com?source=twitter as your callback URL
    • Add this to the Twitter App dashboard: https://yourdomain.com
    • Use this in your call to oauth/request_token: https://yourdomain.com?source=twitter
       

Don’t use localhost as a callback URL
Instead of using localhost, please use a custom host locally or http(s)://127.0.0.1

Mobile apps with app-specific protocols must use just the protocol
Example:

  • You want to use example://authorize as your callback URL

Error Example

If you use a callback URL that hasn't been properly added to your App’s settings in the developer portal, you will receive the following error message:

HTTP 403 - Forbidden

{
  "errors":
    [
      {"code":415,"message":"Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings."}
    ]
  }

OR

<?xml version="1.0" encoding="UTF-8"?>
<hash>
<error>Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings</error>
<request>/oauth/request_token</request>
</hash>


If you do receive this error message, please check the URL that you are using with the callback_url parameter in your oauth/request_token call and make sure that this URL has been added to the allow list in your Twitter App settings.
 

Next Steps

Was this document helpful?

Thank you

Thank you for the feedback. We’re really glad we could help!

Thank you for the feedback. How could we improve this document?

Thank you for the feedback. Your comments will help us improve our documents in the future.