The PIN-based OAuth flow is a version of the 3-legged OAuth process and is intended for applications that cannot access or embed a web browser to redirect the user after authorization. Examples of such applications would be command-line applications, embedded systems, game consoles, and certain types of mobile apps.
PIN-based OAuth flow is initiated by an app in the
request_token with the
oauth_callback set to
oob. The term
oob means out-of-band OAuth. The user still visits Twitter to login or authorize the app, but they will not be automatically redirected to the application upon approving access. Instead, they will see a numerical PIN code, with instructions to return to the application and enter this value.
Please note: The
callback_url within the Twitter app settings is still required, even when using PIN-based auth.
Implementing the PIN-based OAuth flow
The value for
oauth_callbackmust be set to
oobduring the POST oauth/request_token call.
After the user is sent to Twitter to authorize your app using either a GET oauth/authenticate or GET oauth/authorize URL, they will not be redirected to your
callback_url, instead they will see a screen with a Twitter generated ~7 digit PIN with directions to enter the PIN into your applications name.
The user enters this PIN into your application, and your application uses the PIN number as the
oauth_verifierin the POST oauth/access_token to obtain an access_token.
Please note: PIN numbers are not reusable, and the
access_token obtained should be used for application-user requests.