Skip to main content
The X API requires authentication for all endpoints. The XDK supports three authentication methods:
  1. Bearer Token (app-only)
  2. OAuth 2.0 with PKCE
  3. OAuth 1.0a (User Context)
  • Bearer Token: Use this for read-only access for endpoints that support app-auth (e.g., searching Post’s, streaming endpoints).
  • OAuth 2.0 PKCE: Secure authentication for scope-based, user-authorized access (e.g. getting authenticated user’s Post non_public metrics)
  • OAuth 1.0a: Legacy authentication for user-specific operations (e.g., posting on behalf of a user, managing lists) Obtain credentials from the X Developer Console. You’ll need an approved developer account and an app with appropriate permissions (e.g., Read + Write).

Creating a Client

All authentication flows create a Client instance:

1. Bearer Token (App-Only)

For read-only operations without user context. Steps:
  1. In the Developer Console, generate a Bearer Token for your app.
  2. Pass it to the Client. Example:
Usage:

2. OAuth 2.0 with PKCE (User Context)

This example shows how to use OAuth 2.0 with Proof Key for Code Exchange (PKCE). Use this for user-specific access (e.g. posting on behalf of a user), uploading media for a user etc.). Steps:
  1. In the Developer Console, register your app with a redirect URI (e.g., http://localhost:8080/callback).
  2. Get Client ID (no secret needed for PKCE).
  3. Initiate the flow, direct user to auth URL and handle callback. Example (using a web server for callback):
Token Refresh (automatic in SDK for long-lived sessions):

3. OAuth 1.0a (User Context)

For legacy applications or specific use cases that require OAuth 1.0a authentication: Steps:
  1. In the Developer Console, get your API Key and API Secret.
  2. If you already have access tokens, use them directly. Otherwise, complete the OAuth 1.0a flow to obtain them.
  3. Create an OAuth1 instance and pass it to the Client. Example (with existing access tokens):
Example (complete OAuth 1.0a flow):
Note:
  • Never hardcode secrets in production; use environment variables or secret managers (e.g., os.getenv("X_BEARER_TOKEN")).
  • For PKCE, ensure HTTPS for redirect URIs in production.
  • The SDK validates tokens and raises xdk.AuthenticationError on failures. For detailed code examples using the Python XDK, check out our code samples GitHub repo.