[twitter-dev] using whitelisted account for getting multiple user statuses
My application retrieves status of multiple Twitter users. I have a whitelisted account for a username. The Twitter API documentation recommends that I use whitelisted IP Addresses to get the statuses. However, my IP addresses change pretty often, so I would like to know if it is possible to make more than 150 status requests using a whitelisted account (OAuth). If it isn't possible, what other options do I have? Thanks, BG
[twitter-dev] Re: Newbie to seek advice on the flow of a twitter app with OAuth
you can use localhost ? really ? just update the callback to http://localhost/xxx ? On Mon, Jul 20, 2009 at 6:06 PM, Andrew Baderaand...@badera.us wrote: On Mon, Jul 20, 2009 at 6:05 AM, CG learn@gmail.com wrote: Please ignore my question, I already solve it. It seems like it required a 'real' callback URL to accomplish the authentication. CG What do you mean by real? I'm able to authenticate using a localhost address for testing. Thanks- - Andy Badera - and...@badera.us - Google me: http://www.google.com/search?q=andrew+badera - This email is: [ ] bloggable [x] ask first [ ] private
[twitter-dev] Re: Keep getting suspended
Thanks for looking in to this and for unsuspending my account. Did you also confirm that the server I am working from is whitelisted? How can I make sure that it is? If it's not, then I won't be able to release my application because everyone will get suspended who uses it then? Thanks, Serge On Jul 20, 11:11 pm, Doug Williams d...@twitter.com wrote: Serge, Looking at the account I'm not quite sure why it was suspended. The records are inconclusive. I've unsuspended the account. For posterity's sake I'll repeat that whitelisting will not protect you from suspension. Whitelisting raises select REST API limits. Thanks, Doug
[twitter-dev] Re: Keep getting suspended
Serge, You can always verify the whitelisted status of your IP or user through a call to account/rate_limit_status. For instance, here are my results: doug$ curl -u dougw:PASSWORD http://twitter.com/account/rate_limit_status.xml ?xml version=1.0 encoding=UTF-8? hash reset-time type=datetime2009-07-21T08:29:35+00:00/reset-time remaining-hits type=integer19995/remaining-hits hourly-limit type=integer2/hourly-limit reset-time-in-seconds type=integer1248164975/reset-time-in-seconds /hash Notice the hourly rate limit of 2 indiciating my account is whitelisted. Removing the authentication will give me the results for my IP address: doug$ curl http://twitter.com/account/rate_limit_status.xml?xml version=1.0 encoding=UTF-8? hash reset-time type=datetime2009-07-21T08:27:45+00:00/reset-time remaining-hits type=integer148/remaining-hits hourly-limit type=integer150/hourly-limit reset-time-in-seconds type=integer1248164865/reset-time-in-seconds /hash The hourly limit here is 150 indiciating my IP is not whitelisted. For completeness, our rate limiting article is here [1]. Again, whitelisting does not ensure your users will not get suspended. Whitelisting only affects rate limits. 1. http://apiwiki.twitter.com/Rate-limiting Thanks, Doug -- Do you follow me? http://twitter.com/dougw On Tue, Jul 21, 2009 at 12:29 AM, sjespersse...@webkitchen.be wrote: Thanks for looking in to this and for unsuspending my account. Did you also confirm that the server I am working from is whitelisted? How can I make sure that it is? If it's not, then I won't be able to release my application because everyone will get suspended who uses it then? Thanks, Serge On Jul 20, 11:11 pm, Doug Williams d...@twitter.com wrote: Serge, Looking at the account I'm not quite sure why it was suspended. The records are inconclusive. I've unsuspended the account. For posterity's sake I'll repeat that whitelisting will not protect you from suspension. Whitelisting raises select REST API limits. Thanks, Doug
[twitter-dev] Re: Keep getting suspended
Thanks. So I was able to verify that my server is whitelisted. However, is 2 API calls enough for a proxy? Let me explain. I'm building a Twitter client in Flash Lite. Flash Lite currently only supports ActionScript2. Because there is no AS2 Twitter API, I'm using a server side API proxy. So, the Flash Lite app connects to mtwit.net mtwit.net connects to Twitter.com mtwit returns XML data to my app. In theory, a limit of 2 means I can only support 133 concurrent users (if they all leave the app running for an hour). Thanks, Serge On Jul 21, 9:39 am, Doug Williams d...@twitter.com wrote: Serge, You can always verify the whitelisted status of your IP or user through a call to account/rate_limit_status. For instance, here are my results: doug$ curl -u dougw:PASSWORDhttp://twitter.com/account/rate_limit_status.xml ?xml version=1.0 encoding=UTF-8? hash reset-time type=datetime2009-07-21T08:29:35+00:00/reset-time remaining-hits type=integer19995/remaining-hits hourly-limit type=integer2/hourly-limit reset-time-in-seconds type=integer1248164975/reset-time-in-seconds /hash Notice the hourly rate limit of 2 indiciating my account is whitelisted. Removing the authentication will give me the results for my IP address: doug$ curlhttp://twitter.com/account/rate_limit_status.xml?xml version=1.0 encoding=UTF-8? hash reset-time type=datetime2009-07-21T08:27:45+00:00/reset-time remaining-hits type=integer148/remaining-hits hourly-limit type=integer150/hourly-limit reset-time-in-seconds type=integer1248164865/reset-time-in-seconds /hash The hourly limit here is 150 indiciating my IP is not whitelisted. For completeness, our rate limiting article is here [1]. Again, whitelisting does not ensure your users will not get suspended. Whitelisting only affects rate limits. 1.http://apiwiki.twitter.com/Rate-limiting Thanks, Doug -- Do you follow me?http://twitter.com/dougw On Tue, Jul 21, 2009 at 12:29 AM, sjespersse...@webkitchen.be wrote: Thanks for looking in to this and for unsuspending my account. Did you also confirm that the server I am working from is whitelisted? How can I make sure that it is? If it's not, then I won't be able to release my application because everyone will get suspended who uses it then? Thanks, Serge On Jul 20, 11:11 pm, Doug Williams d...@twitter.com wrote: Serge, Looking at the account I'm not quite sure why it was suspended. The records are inconclusive. I've unsuspended the account. For posterity's sake I'll repeat that whitelisting will not protect you from suspension. Whitelisting raises select REST API limits. Thanks, Doug
[twitter-dev] How to use Sign-in-with-Twitter in Web App with username and password ?
Hi all, Sorry for a newbie question again but I am a bit confuse with the Sign-in-with-Twitter feature .. I came across some Twitter app , which let user key in their twitter account and password , then authenticate the user via API call . I came across also Sign-in-with-Twitter feature in Twitter developer wiki which redirect user to https://www.twitter.com/oauth/authenticate My question is , how should I code my web app home page ? Can I use the following logic ? When user access the app home page 1. Getting a request token with cusumer key and secret, redirect to https://www.twitter.com/oauth/authenticate with passing in oauth_token . 2. User will be redirected to appropriate page by twitter based on the flow in http://apiwiki.twitter.com/Sign-in-with-Twitter 3. After authenticated, twitter will redirect user to the callback URL. (At this point , how do I get the user id ? call the verify_credential ?) With the above logic, user will be key in username and password at twitter page, what about I would like to user to input username and password at the page that I customize ? Sorry for a long question but I really need some help , any hints is much appreciated .. Rgds, CG
[twitter-dev] Re: How to use Sign-in-with-Twitter in Web App with username and password ?
Hi, The numeric user id is part of the access token (I believe it is the first part), however, on twollo.com I immediately call verify_credentials.json to get the account details of the authenticating user. Paul 2009/7/21 CG learn@gmail.com Hi all, Sorry for a newbie question again but I am a bit confuse with the Sign-in-with-Twitter feature .. I came across some Twitter app , which let user key in their twitter account and password , then authenticate the user via API call . I came across also Sign-in-with-Twitter feature in Twitter developer wiki which redirect user to https://www.twitter.com/oauth/authenticate My question is , how should I code my web app home page ? Can I use the following logic ? When user access the app home page 1. Getting a request token with cusumer key and secret, redirect to https://www.twitter.com/oauth/authenticate with passing in oauth_token . 2. User will be redirected to appropriate page by twitter based on the flow in http://apiwiki.twitter.com/Sign-in-with-Twitter 3. After authenticated, twitter will redirect user to the callback URL. (At this point , how do I get the user id ? call the verify_credential ?) With the above logic, user will be key in username and password at twitter page, what about I would like to user to input username and password at the page that I customize ? Sorry for a long question but I really need some help , any hints is much appreciated .. Rgds, CG
[twitter-dev] Re: Is it possible to control the source name
Thank you for the info; @ any rate is has slow down considerably, it seems to be manageable for the time being. VJC -Original Message- From: twitter-development-talk@googlegroups.com [mailto:twitter-development-t...@googlegroups.com] On Behalf Of victor castleton Sent: Wednesday, July 15, 2009 10:11 PM To: twitter-development-talk@googlegroups.com Subject: [twitter-dev] Re: Is it possible to control the source name Hi, how do I cut myself out of this group, or better yet control or change the type of mail that I am getting? Can you help? Sincerely, Victor -Original Message- From: twitter-development-talk@googlegroups.com [mailto:twitter-development-t...@googlegroups.com] On Behalf Of AccountingSoftwareGuy Sent: Wednesday, July 15, 2009 7:46 PM To: Twitter Development Talk Subject: [twitter-dev] Is it possible to control the source name Hi I am using the new oAuth method for communicating with the Twitter API. It appears the default behavior is to include the application name as the source of a post. For instance... [date/time] from DynamicTweets This is fine in most cases but in certain cases we want to make a post look like it came from the web and not display our application name... [date/time] from web Is this possible, I've looked through many threads and I can't seem to find a way to do this and the source= parameter doesn't seem to work.
[twitter-dev] encoding password
Hi, I have been using the twitter api for 2 weeks now and everything seems to work, but i have 1 problem with a certain user to get his user feed. Í'm using curl to retrieve the data but im getting the following error: ?xml version=1.0 encoding=UTF-8? hash request/statuses/user_timeline.xml/request errorThis method requires authentication./error /hash Out of the 25 twitter users im collecting data from this one is the only one that is giving me problem. I have checked if the supplied username + password are correct and they are. There is one thing though this user uses special character in his password (-sign). I've tried urlencoding the password and using htmlentities, both resulting in the same error. Does anyone know a sollution to this problem? Best Regards, RV
[twitter-dev] json - user.following
Hi, I am making a Twitter Mod for Garry's Mod (HL2 Modification). When checking out the Tweets which I receive with json I was wondering about this: http://gtweet.pastebin.com/m3b888a6 As you can see, some Tweets have the entry user.following = true / false and some just don't have it. Can anyone explain this or tell what user.following was ment to be? Best Regards, Stoned
[twitter-dev] Search API error {error:since_id too recent, poll less frequently}
I am polling the search API every 60 seconds and intermittently receiving the following error: {error:since_id too recent, poll less frequently} Is this behavior to be expected or is there some problem? Matthew Schrock
[twitter-dev] Re: 140 character limit overridden for Twitgoo?
Hi, what app were you using? Just the website? On Jul 20, 4:20 pm, Abir abstar...@gmail.com wrote: Abraham: Thanks, but not sure I understand why the counter said 140 when i was inputting but the post count is 133? On Jul 20, 3:11 pm, Abraham Williams 4bra...@gmail.com wrote: If you look at the status you will find that it only posted at 133 characters. http://twitter.com/ABIRB123/status/2745931292 Abraham On Mon, Jul 20, 2009 at 16:36, Abir abstar...@gmail.com wrote: Guys: Just posted this on Twitgoo. -It let me post a 140 character + -The URL it is an oryx antelope, it's just a stock image from my laptop's repository. why do this? well i am testing!http://twitgoo.com/1ke92 Isn't the total limit 140 characters? or are URL's not counted? I am developing a service to buy and sell things on Twitter and this would be helpful to know. Thanks -- Abraham Williams | Community Evangelist |http://web608.org Hacker |http://abrah.am|http://twitter.com/abraham Project |http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, WI, United States
[twitter-dev] Search API error {error:since_id too recent, poll less frequently}
I am polling the Search API and intermittently receive the following error: {error:since_id too recent, poll less frequently} Is this to be expected or this something going wrong on the server side? Matthew Schrock
[twitter-dev] Re: Search API error {error:since_id too recent, poll less frequently}
That usually happens when the search servers get out of sync and the since_id tweet hasn't been indexed on the other server(s) yet, so it thinks it's a tweet from the future. -Chad On Tue, Jul 21, 2009 at 12:38 PM, matthewjesc...@gmail.com wrote: I am polling the Search API and intermittently receive the following error: {error:since_id too recent, poll less frequently} Is this to be expected or this something going wrong on the server side? Matthew Schrock
[twitter-dev] Re: tex
Please see http://help.twitter.com/ for questions about using Twitter over SMS. On Mon, Jul 20, 2009 at 20:07, canpaulcanpau...@gmail.com wrote: i have a metroPCS cell phone i cant get your texes whats up with that. -- Alex Payne - Platform Lead, Twitter, Inc. http://twitter.com/al3x
[twitter-dev] Re: Search API error {error:since_id too recent, poll less frequently}
Chad, Good to know. Thanks for your help. Matthew On Jul 21, 2:13 pm, Chad Etzel jazzyc...@gmail.com wrote: That usually happens when the search servers get out of sync and the since_id tweet hasn't been indexed on the other server(s) yet, so it thinks it's a tweet from the future. -Chad On Tue, Jul 21, 2009 at 12:38 PM, matthewjesc...@gmail.com wrote: I am polling the Search API and intermittently receive the following error: {error:since_id too recent, poll less frequently} Is this to be expected or this something going wrong on the server side? Matthew Schrock
[twitter-dev] Re: using whitelisted account for getting multiple user statuses
It's possible to apply whitelisted rate limits to authenticated requests, whether the request is made with Basic Auth or OAuth. If the requesting user is whitelisted, the higher rate limit will take effect. On Mon, Jul 20, 2009 at 23:38, BGbinug...@gmail.com wrote: My application retrieves status of multiple Twitter users. I have a whitelisted account for a username. The Twitter API documentation recommends that I use whitelisted IP Addresses to get the statuses. However, my IP addresses change pretty often, so I would like to know if it is possible to make more than 150 status requests using a whitelisted account (OAuth). If it isn't possible, what other options do I have? Thanks, BG -- Alex Payne - Platform Lead, Twitter, Inc. http://twitter.com/al3x
[twitter-dev] Search API: since_id is now unreliable
Hi API Team, A few of us have been discussing off list a funky behavior we have been noticing and now users are starting to notice. There is a problem for sites/apps like TweetGrid and TweetChat which auto-refresh tweets based on the Search API using the since_id. People are noticing that these sites are missing tweets when compared to the search.twitter.com results page for the same query. We believe what is happening is that the search servers are not indexing tweets in a serial manner, and so a tweet with a higher id may sneak into a search server and be indexed first before a tweet with a lower id. This means that when the since_id is sent back from the query (or derived from the first result in the results array), using that since_id to refresh the query will miss lower id tweets when they finally do get indexed. So the illusion of missing tweets is created. You can run TweetGrid and TweetChat in separate tabs using the same query and see that sometimes the results don't match up because of this. I'll try to give an example to be clear. Let's say for the sake of simplicity that I'm searching for twitter and that every 10th tweet in the public timeline matches. So, all tweets ending in 0 match my query. Search server 1 may index: 20 30 40 60 70 (notice missing 50) At the same time, Search server 2 may index: 20 30 40 50 (notice hasn't indexed 60 or 70 yet) I send a query and get a response from Server 1 and get a since_id of 70. On my next request I use that since_id=70 and I'll never see tweet 50. Thus the missing tweets. This is quite annoying, especially now that users are noticing and complaining to us (the app devs) that are apps are broken. I cannot think of a good work around for this that would be simple enough to implement and be worth the effort. Is this behavior something anyone else can confirm? Are tweets supposed to be indexed/replicated serially by the search servers? -Chad
[twitter-dev] Re: encoding password
If you are POSTing the user/pass down to a script that uses curl to get the information, you should urlencode the username and password before you POST them then urldecode them once received by the curl'ing script. An sign in a variable will screw up your POST variables if not escaped/encoded before being POSTed to another script. -Chad On Tue, Jul 21, 2009 at 7:35 AM, RVthanato...@gmail.com wrote: Hi, I have been using the twitter api for 2 weeks now and everything seems to work, but i have 1 problem with a certain user to get his user feed. Í'm using curl to retrieve the data but im getting the following error: ?xml version=1.0 encoding=UTF-8? hash request/statuses/user_timeline.xml/request errorThis method requires authentication./error /hash Out of the 25 twitter users im collecting data from this one is the only one that is giving me problem. I have checked if the supplied username + password are correct and they are. There is one thing though this user uses special character in his password (-sign). I've tried urlencoding the password and using htmlentities, both resulting in the same error. Does anyone know a sollution to this problem? Best Regards, RV
[twitter-dev] Re: 140 character limit overridden for Twitgoo?
yes just the twitgoo website On Jul 21, 8:38 am, Justin Hart onyxra...@gmail.com wrote: Hi, what app were you using? Just the website? On Jul 20, 4:20 pm, Abir abstar...@gmail.com wrote: Abraham: Thanks, but not sure I understand why the counter said 140 when i was inputting but the post count is 133? On Jul 20, 3:11 pm, Abraham Williams 4bra...@gmail.com wrote: If you look at the status you will find that it only posted at 133 characters. http://twitter.com/ABIRB123/status/2745931292 Abraham On Mon, Jul 20, 2009 at 16:36, Abir abstar...@gmail.com wrote: Guys: Just posted this on Twitgoo. -It let me post a 140 character + -The URL it is an oryx antelope, it's just a stock image from my laptop's repository. why do this? well i am testing!http://twitgoo.com/1ke92 Isn't the total limit 140 characters? or are URL's not counted? I am developing a service to buy and sell things on Twitter and this would be helpful to know. Thanks -- Abraham Williams | Community Evangelist |http://web608.org Hacker |http://abrah.am|http://twitter.com/abraham Project |http://fireeagle.labs.poseurtech.com This email is: [ ] blogable [x] ask first [ ] private. Sent from Madison, WI, United States
[twitter-dev] How many ID's are returned on API Call - blocks blocking ids
I'm wondering how many ids are returned when you ask for the authenticated users blocked id's. The other id calls return 5,000 per page, but I was unsure on blocks. Thanks.
[twitter-dev] Re: Search API: since_id is now unreliable
Chad,Your assessment is spot on. At the heart of search there are a number of data stores that accept queries (reads) while at the same time perform writes from an indexer. Heavy load -- large numbers of queries, large number of writes or both, or both -- can cause the write replication between the indexer and various data stores to grow inconsistent when a particular data store is blocked on a read. Unfortunately there is no easy fix for this problem at the moment. The search team has grown considerably in the last couple of weeks so as they get up to speed, the feature set and stability of search should continue to improve. Thanks, Doug On Tue, Jul 21, 2009 at 11:57 AM, Chad Etzel jazzyc...@gmail.com wrote: Hi API Team, A few of us have been discussing off list a funky behavior we have been noticing and now users are starting to notice. There is a problem for sites/apps like TweetGrid and TweetChat which auto-refresh tweets based on the Search API using the since_id. People are noticing that these sites are missing tweets when compared to the search.twitter.com results page for the same query. We believe what is happening is that the search servers are not indexing tweets in a serial manner, and so a tweet with a higher id may sneak into a search server and be indexed first before a tweet with a lower id. This means that when the since_id is sent back from the query (or derived from the first result in the results array), using that since_id to refresh the query will miss lower id tweets when they finally do get indexed. So the illusion of missing tweets is created. You can run TweetGrid and TweetChat in separate tabs using the same query and see that sometimes the results don't match up because of this. I'll try to give an example to be clear. Let's say for the sake of simplicity that I'm searching for twitter and that every 10th tweet in the public timeline matches. So, all tweets ending in 0 match my query. Search server 1 may index: 20 30 40 60 70 (notice missing 50) At the same time, Search server 2 may index: 20 30 40 50 (notice hasn't indexed 60 or 70 yet) I send a query and get a response from Server 1 and get a since_id of 70. On my next request I use that since_id=70 and I'll never see tweet 50. Thus the missing tweets. This is quite annoying, especially now that users are noticing and complaining to us (the app devs) that are apps are broken. I cannot think of a good work around for this that would be simple enough to implement and be worth the effort. Is this behavior something anyone else can confirm? Are tweets supposed to be indexed/replicated serially by the search servers? -Chad
[twitter-dev] Help on posting a link on Twitter...
I could really use some probably simple help on posting a Google Map link to Twitter, which comes from an app of mine through the API. Basically I'd want to post the entire link like this to twitter from my app: Here is the data I send twitter in the API: is sharing the location for NAME. http://maps.google.com/maps?f=q?q=100.0,50.0%20%28SPOT%20NAME%29; and twitter only posts: MYACCOUNT is sharing the location for SPOT NAME. http://maps.google.com/maps... http://maps.google.com/maps...; shows as a hyperlink, but the rest is truncated/missing. And the link takes you to http://maps.google.com/ maps?f=q and then stops. Are there more characters I should replace in the data before I send it to Twitter? To replace the ? or the in what I sent twitter and forward? I tried %25 instead of a ?, etc. Please help. Still picking up these HTML tricks!
[twitter-dev] Re: Help on posting a link on Twitter...
I'm assuming your link should have an instead of a second ? . Bad http://maps.google.com/maps?f=q?q=100.0,50.0%20%28SPOT%20NAME%29; Good http://maps.google.com/maps?f=qq=100.0,50.0%20%28SPOT%20NAME%29; On Jul 21, 2:53 pm, Travis Williams travw...@gmail.com wrote: I could really use some probably simple help on posting a Google Map link to Twitter, which comes from an app of mine through the API. Basically I'd want to post the entire link like this to twitter from my app: Here is the data I send twitter in the API: is sharing the location for NAME.http://maps.google.com/maps?f=q?q=100.0,50.0%20%28SPOT%20NAME%29; and twitter only posts: MYACCOUNT is sharing the location for SPOT NAME.http://maps.google.com/maps... http://maps.google.com/maps...; shows as a hyperlink, but the rest is truncated/missing. And the link takes you to http://maps.google.com/ maps?f=q and then stops. Are there more characters I should replace in the data before I send it to Twitter? To replace the ? or the in what I sent twitter and forward? I tried %25 instead of a ?, etc. Please help. Still picking up these HTML tricks!
[twitter-dev] Re: Keep getting suspended
On Jul 21, 3:48 am, sjespers se...@webkitchen.be wrote: Because there is no AS2 Twitter API, I'm using a server side API proxy. So, the Flash Lite app connects to mtwit.net mtwit.net connects to Twitter.com mtwit returns XML data to my app. Is there some reason the app cannot connect directly to Twitter? I understand there's no API (by which I think you mean existing library), but Twitter's XML and JSON API isn't difficult to deal with directly. I don't know enough about ActionScript to know if there's some technical limitation requiring you to run a proxying app in the middle. In theory, a limit of 2 means I can only support 133 concurrent users (if they all leave the app running for an hour). I don't speak for Twitter, but that topic has come up on this list a few times before, and it's easy to demonstrate mathematically (as you've just done) that if you're doing auth'd requests on behalf of a significant number of users, then there's an excellent chance whitelisting is going to work against you rather than in your favor.
[twitter-dev] Registering our application as browser-based or desktop
Hi, I work on a Content Management System solution in which we're currently trying to integrate Twitter. Here is the issue: Our software is installed, so while it is browser-based there is not a consistent URL to redirect people to and thus nothing that really makes sense to fill out when registering our application. That said, I'd like to avoid to requiring the users of our software to visit a url and copy/paste a PIN to authorize our application to send updates to their twitter accounts. Is there a recommended way to do this? Where should that URL be redirecting them to? It's my understanding that if they visit the URL, an access token can be generated without the use of a pin (we're using twitter4j for this part). I guess we could just redirect them to our product's website or some page that says go back into our app and click OK to enable the twitter connection. Thanks, Bradley
[twitter-dev] Re: Registering our application as browser-based or desktop
If you set the oauth_callback with a value of oob, it will not redirect the user, but provide the PIN style authorization behavior. See this older post on the new style of calling these params: http://groups.google.com/group/twitter-api-announce/browse_thread/thread/472500cfe9e7cdb9 Hope this helps. Hedley On Tue, Jul 21, 2009 at 2:06 PM, Bradley Wagner bradley.wag...@gmail.comwrote: Hi, I work on a Content Management System solution in which we're currently trying to integrate Twitter. Here is the issue: Our software is installed, so while it is browser-based there is not a consistent URL to redirect people to and thus nothing that really makes sense to fill out when registering our application. That said, I'd like to avoid to requiring the users of our software to visit a url and copy/paste a PIN to authorize our application to send updates to their twitter accounts. Is there a recommended way to do this? Where should that URL be redirecting them to? It's my understanding that if they visit the URL, an access token can be generated without the use of a pin (we're using twitter4j for this part). I guess we could just redirect them to our product's website or some page that says go back into our app and click OK to enable the twitter connection. Thanks, Bradley
[twitter-dev] Updating the APIs authentication limiting policy
Devs --A change shipped last week that limited the number of times a user could access the account/verify_credentials method [1] in a given hour. This change proved hasty and short-sighted as pointed out by the subsequent discussion [2]. We apologize to any developer that was adversely affected. Given the problems, we want to fix this in a public and transparent manner. Like most web services, we limit the number of attempts users can make to login to their accounts on Twitter.com to prevent brute force dictionary attacks. This same security is not extended to the platform and leaves accounts vulnerable to the same method of attack through the API. The change we shipped to limit user accounts to 15 calls an hour to the account/verify_credentials method [1] was intended to mitigate this risk. It was thought to limit the number of tests a potential attack could run in the hour, even in a distributed fashion. However, we only protected a single resource which still leaves all other authenticated methods exposed as a vector of attack (limited only by the API rate limit). Our thinking is now that we will limit the total number of unsuccessful attempts to access authenticated resources to 15 an hour per user per IP address. If a single IP address makes 15 attempts to access a protected resource unsuccessfully for a given user (as indicated by an HTTP 401), then the user will be locked out of authenticated resources from that IP address for 1 hour. This scheme has all of the positive effects that we need, however we want to make sure that we have thought through all of the potential problems on the developer's side before we proceed with this change. Please contribute to the subsequent discussion if you have an opinion or concern. Once we come to an agreement, we will update with details and a timeline for shipping this update. 1. http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-account%C2%A0verify_credentials 2. http://groups.google.com/group/twitter-development-talk/browse_thread/thread/b057014336ff502b Regards, Doug
[twitter-dev] Re: Too many requests in this time period. Try again later.
Let's bring the discussion on the update to the new thread: http://groups.google.com/group/twitter-development-talk/browse_thread/thread/2d68c74567bc9809 Thanks, Doug On Mon, Jul 20, 2009 at 10:08 PM, Doug Williams d...@twitter.com wrote: Martin, The change certainly went out prematurely which is admittedly a mistake on our end. I will have details tomorrow morning to share about our fix. Thanks, Doug On Mon, Jul 20, 2009 at 7:45 PM, Martin Omandermoman...@google.com wrote: Doug, Thanks for letting us know about the new request limit. I was worried something was wrong on my side. Like the others are saying; it would have been nice with a heads-up. Cheers, /Martin
[twitter-dev] Re: Updating the APIs authentication limiting policy
Thanks for the update Doug. Does this still apply to OAuth apps? Also, if a user goes through an app and unsuccessfully attempts to login 15 times will that app be blocked from authenticating anybody for an hour or just that user? The previous change seemed to block the entire app from making an authentication request on anybody once the limit had been hit.
[twitter-dev] Re: Updating the APIs authentication limiting policy
To be honest ever since the x-rate-limit HTTP headers were added we removed the call to verify_credentials from our Twitter API layer. Every time that our Twitter API layer does an HTTP request it squirrels away the header values and any requests to our API from the application for rate-limit information is just fulfilled from those saved variables. So we don't need verify_credentials for rate-limit information Every time that our API does an HTTP request it watches for unauthorized HTTP responses, so we don't need verify_credentials to verify that our app is still authorized on the account or that the user's password is still the same. Every single twitter API method could be used to brute-force by sending HTTP auth headers and watching the HTTP response, but you are rate-limited to 150 requests/hour/ip, if this rate-limit is good enough for all the other attack vectors it should probably be good enough for verify_credentials. In fact verify_credentials is basically a nop function, which IMHO really isn't needed any longer. Josh On Jul 21, 7:00 pm, Doug Williams d...@twitter.com wrote: Devs --A change shipped last week that limited the number of times a user could access the account/verify_credentials method [1] in a given hour. This change proved hasty and short-sighted as pointed out by the subsequent discussion [2]. We apologize to any developer that was adversely affected. Given the problems, we want to fix this in a public and transparent manner. Like most web services, we limit the number of attempts users can make to login to their accounts on Twitter.com to prevent brute force dictionary attacks. This same security is not extended to the platform and leaves accounts vulnerable to the same method of attack through the API. The change we shipped to limit user accounts to 15 calls an hour to the account/verify_credentials method [1] was intended to mitigate this risk. It was thought to limit the number of tests a potential attack could run in the hour, even in a distributed fashion. However, we only protected a single resource which still leaves all other authenticated methods exposed as a vector of attack (limited only by the API rate limit). Our thinking is now that we will limit the total number of unsuccessful attempts to access authenticated resources to 15 an hour per user per IP address. If a single IP address makes 15 attempts to access a protected resource unsuccessfully for a given user (as indicated by an HTTP 401), then the user will be locked out of authenticated resources from that IP address for 1 hour. This scheme has all of the positive effects that we need, however we want to make sure that we have thought through all of the potential problems on the developer's side before we proceed with this change. Please contribute to the subsequent discussion if you have an opinion or concern. Once we come to an agreement, we will update with details and a timeline for shipping this update. 1.http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-account%C2%A0ve... 2.http://groups.google.com/group/twitter-development-talk/browse_thread... Regards, Doug
[twitter-dev] Re: Search API: since_id is now unreliable
Thanks for posting this Chad! Doug, please keep us updated on how things progress with this issue so we can pass along guidance to our user-base. Hopefully the improvements will come in the near-term. Thanks for all that you guys do! Brooks On Jul 21, 3:45 pm, Doug Williams d...@twitter.com wrote: Chad,Your assessment is spot on. At the heart of search there are a number of data stores that accept queries (reads) while at the same time perform writes from an indexer. Heavy load -- large numbers of queries, large number of writes or both, or both -- can cause the write replication between the indexer and various data stores to grow inconsistent when a particular data store is blocked on a read. Unfortunately there is no easy fix for this problem at the moment. The search team has grown considerably in the last couple of weeks so as they get up to speed, the feature set and stability of search should continue to improve. Thanks, Doug On Tue, Jul 21, 2009 at 11:57 AM, Chad Etzel jazzyc...@gmail.com wrote: Hi API Team, A few of us have been discussing off list a funky behavior we have been noticing and now users are starting to notice. There is a problem for sites/apps like TweetGrid and TweetChat which auto-refresh tweets based on the Search API using the since_id. People are noticing that these sites are missing tweets when compared to the search.twitter.com results page for the same query. We believe what is happening is that the search servers are not indexing tweets in a serial manner, and so a tweet with a higher id may sneak into a search server and be indexed first before a tweet with a lower id. This means that when the since_id is sent back from the query (or derived from the first result in the results array), using that since_id to refresh the query will miss lower id tweets when they finally do get indexed. So the illusion of missing tweets is created. You can run TweetGrid and TweetChat in separate tabs using the same query and see that sometimes the results don't match up because of this. I'll try to give an example to be clear. Let's say for the sake of simplicity that I'm searching for twitter and that every 10th tweet in the public timeline matches. So, all tweets ending in 0 match my query. Search server 1 may index: 20 30 40 60 70 (notice missing 50) At the same time, Search server 2 may index: 20 30 40 50 (notice hasn't indexed 60 or 70 yet) I send a query and get a response from Server 1 and get a since_id of 70. On my next request I use that since_id=70 and I'll never see tweet 50. Thus the missing tweets. This is quite annoying, especially now that users are noticing and complaining to us (the app devs) that are apps are broken. I cannot think of a good work around for this that would be simple enough to implement and be worth the effort. Is this behavior something anyone else can confirm? Are tweets supposed to be indexed/replicated serially by the search servers? -Chad
[twitter-dev] Twitter credentials
1.Is there any twitter api method (php) to get credentials both username and password 2.How to use oauth_token returned in call back url, with this token is there any way to get twitter credentials both username and password, Thanks for your help in advance!
[twitter-dev] Re: Twitter credentials
On Tue, Jul 21, 2009 at 11:32 PM, rajrajsmaru...@gmail.com wrote: 1.Is there any twitter api method (php) to get credentials both username and password 2.How to use oauth_token returned in call back url, with this token is there any way to get twitter credentials both username and password, No. -damon
[twitter-dev] Re: Twitter credentials
Raj, You might also want to describe what you are trying to do, and some can help you to understand the way they do it. Thanks Peter On Jul 21, 2009, at 9:32 PM, raj rajsmaru...@gmail.com wrote: 1.Is there any twitter api method (php) to get credentials both username and password 2.How to use oauth_token returned in call back url, with this token is there any way to get twitter credentials both username and password, Thanks for your help in advance!
[twitter-dev] Re: Updating the APIs authentication limiting policy
Josh, is there a way, without verify_credentials, to identify that users have changed their Twitter passwords (and therefore you are no longer able to authenticate for them)? For client apps, I don't see this being as much of a problem, but for server-based apps that run regular scripts on behalf of users this could become a regular issue, which is why we were running it. In addition, what is the best way with OAuth to identify the screen name of an individual? verify_credentials is the only way I'm aware of, unless there's something I'm missing (which is probably very likely). I'd love to know if there's a better way. A best practices doc on how to retrieve user information, and how to best verify users have not changed their passwords would certainly be useful I think. I'd like to know how Twitter recommends we do this. Jesse On Tue, Jul 21, 2009 at 8:50 PM, Josh Perry j...@6bit.com wrote: To be honest ever since the x-rate-limit HTTP headers were added we removed the call to verify_credentials from our Twitter API layer. Every time that our Twitter API layer does an HTTP request it squirrels away the header values and any requests to our API from the application for rate-limit information is just fulfilled from those saved variables. So we don't need verify_credentials for rate-limit information Every time that our API does an HTTP request it watches for unauthorized HTTP responses, so we don't need verify_credentials to verify that our app is still authorized on the account or that the user's password is still the same. Every single twitter API method could be used to brute-force by sending HTTP auth headers and watching the HTTP response, but you are rate-limited to 150 requests/hour/ip, if this rate-limit is good enough for all the other attack vectors it should probably be good enough for verify_credentials. In fact verify_credentials is basically a nop function, which IMHO really isn't needed any longer. Josh On Jul 21, 7:00 pm, Doug Williams d...@twitter.com wrote: Devs --A change shipped last week that limited the number of times a user could access the account/verify_credentials method [1] in a given hour. This change proved hasty and short-sighted as pointed out by the subsequent discussion [2]. We apologize to any developer that was adversely affected. Given the problems, we want to fix this in a public and transparent manner. Like most web services, we limit the number of attempts users can make to login to their accounts on Twitter.com to prevent brute force dictionary attacks. This same security is not extended to the platform and leaves accounts vulnerable to the same method of attack through the API. The change we shipped to limit user accounts to 15 calls an hour to the account/verify_credentials method [1] was intended to mitigate this risk. It was thought to limit the number of tests a potential attack could run in the hour, even in a distributed fashion. However, we only protected a single resource which still leaves all other authenticated methods exposed as a vector of attack (limited only by the API rate limit). Our thinking is now that we will limit the total number of unsuccessful attempts to access authenticated resources to 15 an hour per user per IP address. If a single IP address makes 15 attempts to access a protected resource unsuccessfully for a given user (as indicated by an HTTP 401), then the user will be locked out of authenticated resources from that IP address for 1 hour. This scheme has all of the positive effects that we need, however we want to make sure that we have thought through all of the potential problems on the developer's side before we proceed with this change. Please contribute to the subsequent discussion if you have an opinion or concern. Once we come to an agreement, we will update with details and a timeline for shipping this update. 1.http://apiwiki.twitter.com/Twitter-REST-API-Method%3A-account%C2%A0ve. .. 2.http://groups.google.com/group/twitter-development-talk/browse_thread. .. Regards, Doug