PIN-based authorization

The PIN-based OAuth flow is a version of the 3-legged OAuth process and is intended for applications that cannot access or embed a web browser to redirect the user after authorization. Examples of such applications would be command-line applications, embedded systems, game consoles, and certain types of mobile apps.

PIN-based OAuth flow is initiated by an app in the request_token with the oauth_callback set to oob. The term oob means out-of-band OAuth.  The user still visits Twitter to login or authorize the app, but they will not be automatically redirected to the application upon approving access. Instead, they will see a numerical PIN code, with instructions to return to the application and enter this value.

Please note: The callback_url within the Twitter app settings is still required, even when using PIN-based auth.
 

Implementing the PIN-based OAuth flow

The PIN-based flow is implemented in the same way as 3-legged authorization (and Sign in with Twitter), with the following differences:

1. The value for oauth_callback must be set to oob during the POST oauth/request_token call.

2. After the user is sent to Twitter to authorize your app using either a GET oauth/authenticate or GET oauth/authorize URL, they will not be redirected to your callback_url, instead they will see a screen with a Twitter generated ~7 digit PIN with directions to enter the PIN into your applications name.

3. The user enters this PIN into your application, and your application uses the PIN number as the oauth_verifier in the POST oauth/access_token to obtain an access_token.

Please note: PIN numbers are not reusable, and the access_token obtained should be used for application-user requests.
 

Next steps

• Learn more about securing keys and access tokens
• See how to obtain access tokens for another user