Twitter OAuthcalypse Coming Soon

Back in the good old days things were a lot simpler. You didn’t have to worry about packet capturing or password extracting, and as a result a lot of the original protocols like HTTP, FTP and POP3 didn’t worry about sending your passwords over the wire in plain text. But in today's increasingly sophisticated API-driven world this isn't enough.

For developers storing a username and password and sending them to a web server was easy – most APIs and libraries included simple username and password fields. This most common form of this kind of authentication, typically known as HTTP basic authentication, has been available to users of the Twitter API for some time now, and its convenience has made it more attractive than secure protocols like OAuth for a number of developers. However, on June 30th Twitter will be shutting off basic authentication:

You're going to be hearing a lot from me over the next 9 weeks.  Our plan is to turn off basic authorization on the API by June 30, 2010 -- developers will have to switch over to OAuth by that time.  Between now and then, there will be a *lot* of information coming along with tips on how to use OAuth Echo, xAuth, etc.  We really want to make this transition as easy as we can for everybody.

As always, please feel free to reach out to this group, or to @twitterapi directly.  if you need help remembering the date -

And as noted above the Twitter team has even created a handy countdown clock to help you count the days:

The change will only affect the REST API, while the streaming API will continue to support basic authentication.

The effect of the change is not limited to small hobby projects – popular Twitter clients like TweetDeck have traditionally used basic authentication (although they have made the switch to OAuth). While Twitter will provide a lot of documentation and support for the change over to OAuth, the onus is still on developers to make the required changes, and there are lots of mashups that make use of the Twitter API.

Be sure to read the next Security article: OAuth is the New Hotness: 76 OAuth-enabled APIs


Comments (10)

[...] Beckemeyer (Mr Blog) did when his tweeting garage door opener was threatened by the approaching OAuthpocalypse. This date with destiny for all Twitter programmers is the planned June 30th cutoff of basic [...]

I'm delighted to hear this news. It will somewhat raise the entry barrier to those scripting against Twitter and I'm sure in the process deter many who abuse the service for their own ends.

[...] developers beware! Their API authentication is becoming more sophisticated. Programmable Web reports that Twitter's REST API will require OAuth authentication starting in June of this year. [...]

[...] the side, that’s just three more weekends of hacking to upgrade apps to OAuth. The original deadline was June 30, but Twitter later postponed to [...]

[...] has gone OAuth-only and it is judgement day for the scores of Twitter apps still using basic authentication. Developers [...]

[...] users make happier developers, but Twitter also has given developers plenty of time. The move was first announced in April. For developers in need of help moving to OAuth, Twitter has a guide. Related ProgrammableWeb [...]

[...] have had plenty of warning. Twitter first announced the move in April, then extended the deadline from June to August and finally implemented a gradual phase-out. [...]

[...] Twitter went OAuth-only over the summer, in what some frustrated developers forced to retool their applications called the “OAuthocalypse”. Facebook’s Graph API, launched back in April and replacing the service’s older APIs, has used OAuth from the start. With the popularity of Foursquare mashups, we might see similar OAuthocalypse issues when the location startup shuts off v1 of its API in mid 2011. [...]

[...] Twitter shut off basic authentication last year, it gave over four months notice, though the original heads up was half that. The company [...]