Creating bots with OAuth 2.0 Authorization Code Flow with PKCE and V2 of the Twitter API
Jessica Garson
Posted on September 23, 2022
Bots on Twitter are a large part of what makes the conversation on Twitter engaging and unique. Some bots enhance the Twitter experience, like Thread Reader, and some bots provide vital information, such as Acts of Congress. Additionally, there are other bots, such as New New York Times, which Tweets every time the New York Times uses a new word.
Making bots on Twitter is a great way to start programming and using the Twitter API. However, in the past year, we’ve made some improvements to our API, such as launching a new manage Tweets endpoint and an OAuth 2.0 Authorization Code Flow with PKCE. Making bots using these new features is possible, but it is a bit different than it has been in the past.
A new paradigm for making bots
One change with OAuth 2.0 is that the bot account will need to log in and give consent to your App before you can get an access token. As someone who is typically a backend-focused developer, I found this a bit harder to get my head around. How I solved this problem as a Python developer by creating a Flask application to handle the login flow.
With OAuth 2.0, your access token, the credential you use to request v2 endpoints, stays valid for two hours. However, since bots run automatically, you will need to figure out how to handle refreshing tokens and save them to a database or in memory.
Prerequisites
- A developer account. If you don’t already have access to the Twitter API, you can sign up for a developer account.
- A Project in the developer portal
- An App containing the credentials required to use the Twitter API
- OAuth 2.0 turned on in your App’s authentication settings
Steps to making a bot
- Step 1: Set up the profile for your bot, including adding a profile picture and banner image and setting up a label to indicate your bot is a bot.
- Step 2: While logged in as your bot, you can make your bot's first call using our API playground.
- Step 3: Create a web application that handles the OAuth 2.0 log-in flow for your bot
- Step 4: Determine how you’ll handle refreshing tokens for your bot and where you will store your token information.
- Step 5: Figure out how often your bot will Tweet. For example, my bots typically Tweet twice a day, but it could be more frequent or less frequent depending on the bots you create.
Resources
- Check out our tutorial, which walks you through how to make a bot with OAuth 2.0 using Python. This tutorial walks you through how to make a bot that Tweets dog facts like this bot.
- We have an example bot starter project built using Flask deployed to Glitch that can be remixed. This code powers this bot that Tweets noun/verb pairings.
Key learnings
As I’ve been making bots using OAuth 2.0, I’ve learned the following lessons along the way:
Using Python’s persistent in-memory storage as a key-value store
When I started making bots using OAuth 2.0, I used Redis as a key-value store for handling my tokens. I found that I could use the dbm Python package as a lightweight, cost-effective way of storing my tokens in a key-value store.
Handling refresh tokens
While refresh tokens remain valid for six months to allow flexibility to change the timing, it might be best to generate a new one each time the bot posts a Tweet.
Determining the timing for bots in the application itself
When I’ve previously made bots, I’ve typically used an external service such as Render’s cron job service or Google’s cloud scheduler to handle the timing of my bots. But for @noun__verb, I used flask-apscheduler to set up the timing. This might be better for smaller projects, but you may want to consider a cloud service as you scale.
Next steps
Hopefully, this post inspires you to create Twitter bots using OAuth 2.0. Be sure to inform us on the forums if you run into any troubles along the way, or Tweet us at @TwitterDev if this guide inspires you to create anything!
Posted on September 23, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.