Skip to main content
Building secure applications protects both your users and the X platform. This guide covers essential security practices for X API developers.

Core requirements

TLS required

All API requests must use HTTPS. Plain HTTP is rejected.

Credential security

Never expose API keys or tokens in client-side code, logs, or repositories.

Protecting credentials

Your API keys and tokens are the keys to your app. Keep them secure:
1

Use environment variables

Store credentials in environment variables, not in code.
export X_API_KEY="your-api-key"
export X_API_SECRET="your-api-secret"
2

Never commit secrets

Add credential files to .gitignore. Use tools like git-secrets to prevent accidental commits.
3

Rotate regularly

Regenerate keys periodically and immediately if you suspect a compromise.
4

Use minimal permissions

Only request the OAuth scopes your app actually needs.

If credentials are compromised

  1. Regenerate immediately in the Developer Console
  2. Revoke old tokens — regenerating automatically invalidates old credentials
  3. Audit usage — check for unauthorized API activity
  4. Update your app — deploy new credentials to all environments

Application security

Input validation

Never trust user input. Validate and sanitize all data before using it: 
# Bad - vulnerable to injection
query = f"from:{user_input}"

# Good - validate input first
import re
if re.match(r'^[a-zA-Z0-9_]{1,15}$', user_input):
    query = f"from:{user_input}"

Output encoding

Escape X API data before displaying in HTML to prevent XSS: 
// Bad - vulnerable to XSS
element.innerHTML = tweet.text;

// Good - escape HTML
element.textContent = tweet.text;

Common vulnerabilities to prevent

VulnerabilityPrevention
XSSEscape all user-generated content before rendering
CSRFUse anti-CSRF tokens in forms; verify OAuth state parameter
SQL InjectionUse parameterized queries, never concatenate user input
Open redirectsValidate callback URLs against an allowlist

OAuth security

State parameter

Always use the state parameter in OAuth flows to prevent CSRF: 
import secrets

# Generate state before authorization
state = secrets.token_urlsafe(32)
session['oauth_state'] = state

# Verify state after callback
if request.args.get('state') != session.get('oauth_state'):
    abort(403)  # State mismatch - possible CSRF

Token storage

Token typeStorage recommendation
Access tokensEncrypted database or secure vault
Refresh tokensEncrypted database with additional access controls
Bearer tokensEnvironment variables or secure configuration

Secure development practices

Security audits

Conduct regular security reviews and penetration testing.

Dependency scanning

Keep dependencies updated. Use tools to detect vulnerable packages.

Logging

Log security events but never log credentials or sensitive data.

Monitoring

Set up alerts for unusual API usage patterns.

Reporting security issues

If you discover a security vulnerability affecting X:
Report within 48 hours. X Developer Platform users must notify X no more than 48 hours after suspecting a security incident.

X Bug Bounty

Report vulnerabilities in X’s systems through HackerOne.

Your app incident

If your app using X data is breached, report through the same channel.

Compliance checklist

  • All API requests use TLS/HTTPS
  • Credentials stored securely (not in code or logs)
  • User tokens encrypted at rest
  • Input validation on all user-supplied data
  • Output encoding to prevent XSS
  • CSRF protection on OAuth flows
  • Security logging enabled (without sensitive data)
  • Incident response plan documented
  • Dependencies regularly updated
  • Minimal OAuth scopes requested

Resources

Authentication guide

Implement OAuth correctly.

App permissions

Configure minimal required permissions.