The "Magic" Behind Apple's Username/Password Twitter Login

Twitter shut off basic authentication in August. Yet, that did not put an end to sharing one's password with other services. Mobile apps still request your credentials, as opposed to redirecting to Twitter as part of the "OAuth dance." And the same was true with Apple's Twitter integration. Why aren't some playing by Twitter's new rules?

According to a tweet from Twitter's Ryan Sarver, Apple's service uses xAuth, a derivative of OAuth. With xAuth the username and password is passed only once, in order to retrieve an OAuth token. From that moment, the process is the same as OAuth. The password is not meant to be stored by the third party.

Only approved applications can use xAuth, according to Twitter's page on the topic:

xAuth access is restricted to approved applications. If your application is a desktop or mobile application and the standard web OAuth flow or PIN-code out-of-band flow is not right for you, send a detailed message to to request xAuth privileges. Include the name of your application, the consumer key, the application ID (if available), and a summary of how xAuth is best-suited for your application.

It's not obvious how Twitter's xAuth relates to the burgeoning XAuth lauded by open web advocates.

With its move to OAuth-only authentication, Twitter was attempting to fix the anti-pattern of sharing login information with third parties. It seems that the company is okay with users sharing credentials, as long as it's with an approved partner. This makes some sense on mobile devices, where the full OAuth user experience is still far too complicated.

However, playing favorites on mobile devices may be a touchy subject with Twitter developers. The company acquired perhaps the best Twitter iPhone app, Tweetie, which it has now renamed Twitter for iPhone. The app was made by a single developer. It's unclear what criteria Twitter is using to choose partners and whether that sort of developer would stand a chance of being included in xAuth.

Adam DuVander The former ProgrammableWeb Executive Editor, Adam is an API expert now helping regular people connect them at Zapier. Previously he worked at API companies SendGrid and Orchestrate, and wrote for Wired and Webmonkey. Adam is also the author of mapping API cookbook Map Scripting 101. Find him at

Comments (1)


Doesn't TweetDeck use xAuth ?