Developer terms

Developer Policy

Let's get started

 

X + Developers 

X loves developers. We’re delighted and amazed by the tools and services this community creates by harnessing the power of X data. As part of our commitment to this community, we aim to provide data access that is open and fair for developers, safe for people on X, and beneficial for the X platform as a whole. To further these goals we’ve crafted the Developer Policy as a guide to help people understand our rules and expectations about appropriate API and X Content usage.

This Developer Policy (“Policy”) provides rules and guidelines for developers who interact with X’s ecosystem of applications, services, website, web pages and content. It is part of your contract with X governing access to and use of the X API and X Content (either as part of the Developer Agreement or other written agreement with X). Policy violations are considered violations of your agreement. This Policy may be changed from time to time without notice. Capitalized terms used in this Policy, which are not defined in this Policy, will have the respective meanings ascribed to them in the Developer Agreement or the Master License Agreement.

 

Using this policy

We’ve structured this policy to make it as easy to follow as possible. Please keep information from the following policy sections top of mind as you use the X API and X Content:

1. Set Yourself Up for Success - You are responsible for complying with all X policies. It’s important that you review and understand this Policy, as well as the policies we link to in this document, before you access the X API and X Content. The time spent reviewing our policies may save you hours of rework down the road.

2. Privacy and Control are Essential - Protecting and defending the privacy of people on X is built into the core DNA of our company. As such, we prohibit the use of X data in any way that would be inconsistent with people’s reasonable expectations of privacy. By building on the X API or accessing X Content, you have a special role to play in safeguarding this commitment, most importantly by respecting people’s privacy and providing them with transparency and control over how their data is used.

3. Follow the Platform Usage Guidelines - Getting approved to access the X API and X Content is just the first step. Our Platform Usage Guidelines should be your first stop anytime you have questions about how to ensure policy compliance for your planned use of the X platform.

We’ve provided a lot more detail on what each of these three key sections mean below. Please review them carefully to ensure that your usage of the X API and X Content is consistent with our policies. 

If we believe you are in violation of this Policy (or any other X policy), we may suspend or permanently revoke your access to the X API and X Content. 

Finally, please note that X may monitor your use of the X API to improve the X Applications, to examine any commercial use, and to ensure your compliance with your approved use case and this Policy.

Thanks for reading, and thank you for building with us! We look forward to seeing what you create!

Chapter 1

Set yourself up for success

 

Set yourself up for success

You can avoid many potential pitfalls while using the X API by ensuring that your service has been built the right way from day 1. This section of the Developer Policy contains rules that all developers must follow before using the X API or X Content.

We review all proposed uses of the X developer platform to verify policy compliance — so you’re required to disclose (and update, as applicable) your planned use of the X API and X Content in order to be granted and to maintain access. All new developers must apply for a developer account to access the X API. Current developers without an approved developer account must apply for one as directed to do so by X. As part of this process, you’ll need to provide us with a written description of your intended uses of the X API and X Content.

Your use case description is binding on you, and any substantive deviation from it may constitute a violation of our rules and result in enforcement action. You must notify us of any substantive modification to your use case and receive approval before you may begin using X Content for that new purpose. Failure to do so may result in suspension and termination of your API and data access. 

By building on the X API or accessing X Content, you must comply with ALL X policies. These include this Developer Policy, the Automation Rules, the Display Requirements, the API Restricted Uses Rules, the X Rules, and the X Brand Resources, as well as any other agreements you enter into with X relating to your use of the X API or X Content, including but not limited to the Developer Agreement or a Master Licensing Agreement or Order (as applicable). You must also comply with any modifications to these policies and any new policies launched by X. It is your responsibility to monitor the use of your service and to design your service to prevent violations of X policy by people who use it. Failure to do so may result in suspension or termination of your API and X Content access.

You may not register multiple applications for a single use case or substantially similar or overlapping use cases. In this context, a “use case” is a consistent set of analyses, displays, or actions performed via an application. Please note that providing the same service or application to different people (including “white label” versions of a tool or service) counts as a single use case.

As a single exception to these rules, you may create and use a maximum of 3 applications for development, staging, and production instances of the same service. These apps must be registered to a single account, and should be clearly identified (in the name and description) as dev, staging, and prod instances of a single service. You may not use development or staging applications for production purposes.

You must keep all API keys or other access credentials private. You may not use, and may not encourage or facilitate others to use, API keys or other access credentials owned by others.

Your license agreement with X limits your use of the X API and X Content. Among other things, the X API has rate limits which help to ensure fair data usage and to combat spam on the platform. You may not exceed or circumvent rate limits, or any other limitations or restrictions described in this Policy or your agreement with X, listed on the Developer Site, or communicated to you by X.

You may not remove or alter any proprietary notices or marks on X Content received via the X API. This helps to make sure that people know where X Content is coming from, and who it belongs to.

For data integrity and platform health reasons, you may not interfere with, intercept, disrupt, or disable any features of the X API or the X service. In other words, use the APIs as intended and documented on developer.x.com. Refer to our HackerOne guidelines for more details about acceptable use.

Chapter 2

Privacy and control are essential

 

Privacy and control are essential

X takes privacy seriously, and we expect everyone using X Content and the X API to do the same. Any use of the X developer platform, X API, or X Content in a manner that is inconsistent with peoples’ reasonable expectations of privacy may be subject to enforcement action, which can include suspension and termination of API and X Content access.

Your commitment to privacy and control must extend to all uses of X Content and all aspects of the service that you build using our API. To that end, the people using your service must understand and consent to how you use their data, and how you access X on their behalf. This can be accomplished through providing people with a clear, comprehensive, and transparent privacy policy, as well as ensuring that you get express and informed consent from each person using your service before taking any action on their behalf. Please note that a person authenticating into your service does not by itself constitute consent.

 

Consent & permissions

In particular, you must get express and informed consent from people before doing any of the following:

  • Taking any actions on their behalf. This includes (but is not limited to): 
    • Posting content to X
    • Following/unfollowing accounts
    • Modifying profile or account information
    • Adding hashtags or any other content to Posts
  • Republishing content accessed by means other than via the X API or other X tools
  • Using someone’s X Content to promote a product or service
  • Storing non-public content such as Direct Messages (DMs), or any other private or confidential information

  • Sharing or publishing protected content, or any other private or confidential information

If your service allows people to post content to X you must do the following before publishing:

  • Show exactly what will be published

  • Make it clear to people using your service what geo information (if any) will be added to the content

If your service allows people to post content to both your service and X, you must do the following before publishing:

  • Obtain permission to post the content

  • Explain where you will post the content

You must respect the protected and blocked status of all X Content. You may not serve content obtained using one person’s authentication token to a different person who is not authorized to view that content.

  • Protected accounts: A protected account’s content is only available to people who have been approved by the owner to follow that account. So, if you run a service that accesses protected accounts, you may only do so to serve such content to the specific people with permission to view that content.

  • Blocked accounts: People on X are able to block access to their accounts for any reason they choose. Commingling information obtained from tokens (or any other API-based action) to bypass this choice is not permitted.

As Direct Messages (DMs) are non-public in nature, services that provide DM features must take extra steps to safeguard personal privacy. You may not serve DM content to people who are not authorized to view that content. If your service provides DM functionality you must also:

  • Notify people if you send read receipt events for DMs. You can do this by providing a notice directly in your service, or by displaying read receipts from other participants in a conversation.
  • Get consent before configuring media to be sent in a DM as "shared" (i.e. reusable across multiple DMs). If you do allow media in a DM to be “shared,” you must provide a clear notice that this content will be accessible to anyone with the media’s URL.

 

Content compliance

If you store X Content offline, you must keep it up to date with the current state of that content on X. Specifically, you must delete or modify any content you have if it is deleted or modified on X. This must be done as soon as reasonably possible, or within 24 hours after receiving a request to do so by X or the applicable X account owner, or as otherwise required by your agreement with X or applicable law. This must be done unless otherwise prohibited by law, and only then with the express written permission of X.

Modified content can take various forms. This includes (but is not limited to): 

  • Content that has been made private or gained protected status
  • Content that has been suspended from the platform

  • Content that has had geotags removed from it

  • Content that has been withheld or removed from X

 

Off-X matching

We limit the circumstances under which you may match a person on X to information obtained or stored off-X. Off-X matching involves associating X Content, including a X @handle or user ID, with a person, household, device, browser, or other off-X identifier. You may only do this if you have express opt-in consent from the person before making the association, or as described below.

In situations in which you don’t have a person’s express, opt-in consent to link their Xidentity to an off-X identifier, we require that any connection you draw be based only on information that someone would reasonably expect to be used for that purpose. In addition, absent a person’s express opt-in consent you may only attempt to match your records about someone to a X identity based on:

  • Information provided directly to you by the person. Note that records about individuals with whom you have no prior relationship, including data about individuals obtained from third parties, do not meet this standard; and/or

  • Public data. “Public data” in this context refers to:

    • Information about a person that you obtained from a public, generally-available resource (such as a directory of members of a professional association)

    • Information on X about a person that is publicly available, including:

      • Posts

      • Profile information, including an account bio and publicly-stated location

      • Display name and @handle

 

Your privacy policy

You must display your service’s privacy policy to people before they are permitted to download, install, or sign up to your service. It must disclose at least the following information:

  • The information that you collect from people who use your service

  • How you use and share that information (including with X)

  • How people can contact you with inquiries and requests regarding their information

Your privacy policy must be consistent with all applicable laws, and be no less protective of people than X’s Privacy Policy and the privacy policy of our other services and corporate affiliates. You must cease your access to the X API and the use of all X Content if you are unable to comply with your and/or X’s Privacy Policy.

 

Using geo-data

Use of geo data comes with additional restrictions due to the sensitive nature of this information. If your service adds location information to Posts, you must disclose to people:

  • When you add location information

  • Whether you add location information as a geotag or annotations data

  • Whether your location information is listed as a place, or as geographic coordinates

If your application allows people to post with their location you must comply with X’s geo guidelines in full. 

Any use of location data or geographic information on a standalone basis is prohibited. You may not (and may not permit others to) store, aggregate, or cache location data and other geographic information contained in X Content, except as part of a Post. For example, you may not separate location data or geographic information out from Posts to show where individuals have been over time. Heat maps and related tools that show aggregated geo activity (e.g., the number of people in a city using a hashtag) are permitted.

 

X passwords

You may not store X passwords, or request that people provide their X password, account credentials, or developer application information (including consumer key) to you directly. We suggest the use of Sign-in with X as the authentication tool to link your service and people on X.

Chapter 3

Platform usage guidelines

 

Platform usage guidelines

Have you taken care to review X’s policies and set up your API access the right way? Does your service follow X’s privacy and control guidelines? If you can answer yes to these two questions, then you are ready to start using the X API and X Content. X’s Platform Usage Guidelines provide the assistance needed to ensure that your use of X Content is compliant from day 1 throughout the lifecycle of your service. We suggest reviewing these rules on a regular basis to make sure that your integration is operating in a way that is safe and beneficial to people on X and the X platform as a whole.

 

Spam, bots, and automation

The use of the X API and developer products to create spam, or engage in any form of platform manipulation, is prohibited. You should review the X Rules on platform manipulation and spam, and ensure that your service does not, and does not enable people to, violate our policies.

Services that perform write actions, including posting Posts, following accounts, or sending Direct Messages, must follow the Automation Rules. In particular, you should: 

If you’re operating an API-based bot account you must clearly indicate what the account is and who is responsible for it. You should never mislead or confuse people about whether your account is or is not a bot. A good way to do this is by including a statement that the account is a bot in the profile bio.

 

X performance benchmarking

You may not use the X API to measure the availability, performance, functionality, or usage of X for benchmarking, competitive, or commercial purposes. For example, you should never use the X API to:

  • Calculate aggregate X metrics, such as the total number of Monthly Actives (MAs) or Daily Actives (DAs)

  • Calculate aggregate X Post metrics, such as the total number of Posts posted per day, or the number of account engagements

  • Measure or analyze the responsiveness of X

  • Measure or analyze spam or security on X, except as permitted below

We support research that helps improve conversational health on X. You may not publicly disclose any research or findings concerning, or develop, create, or offer services using, the X API or X Content that measure, analyze, or attempt to identify behaviors or content which violate X policies without express written permission from X.

DSA Researchers: If you need to contact X relating to access under Art. 40 of the Digital Services Act, please contact EU-Questions@X.com. If you wish to apply for researcher access, please submit an application.

 

Public display of Posts

You must maintain the integrity of all X Content that you display publicly or to people who use your service. If you don’t use X for Websites to display content, then you must use the X API to retrieve the most current version available for display. If displayed content ceases to be available through the X API, then you must remove it from your service as soon as reasonably possible, or within 24 hours after the receipt of a removal request from X, or the applicable X account owner, or as otherwise required by applicable law.

There are specific rules you must follow if you display X Content offline. Follow the guidelines for using Posts in broadcast if you display Posts offline. 

If you embed or display Posts, you must contact us about your X API access if your site exceeds 10 million daily impressions. X reserves the right to require additional terms as a condition to your use of the X API. Additional restrictions on X for Websites developer use include:

  • Embedded Posts and/or embedded timelines

    • You must provide people with legally sufficient notice that fully discloses X’s collection and use of data about browsing activities on your website, including for interest-based advertising and personalization. You must also obtain legally sufficient consent from people for such collection and use
    • You must provide legally sufficient instructions on how people can opt out of X’s interest-based advertising and personalization as described here
       
  • X for Websites widgets

    • You must ensure that people are provided with clear and comprehensive information about, and consent to, the storing and accessing of cookies or other information on their devices as described in X’s cookie use, where providing such information and obtaining such consent is required by law
       
  • Services targeted to children under 13

    • Services targeted to children under 13 must opt out of tailoring X in any embedded Post and/or embedded timelines by setting the opt-out parameter to be ‘true’ as described here
 

Content redistribution

The best place to get X Content is directly from X. Consequently, we restrict the redistribution of X Content to third parties. If you provide X Content to third parties, including downloadable datasets or via an API, you may only distribute Post IDs, Direct Message IDs, and/or User IDs (except as described below). 

In total, you may not distribute more than 1,500,000 Post IDs to any entity (inclusive of multiple individuals associated with a single entity) within any 30 day period unless you have received written permission from X. In addition, developers may provide up to 500 public Posts Objects and/or User Objects to each person who uses your service on a daily basis if this is done via non-automated means (e.g., download of spreadsheets or PDFs).

Academic researchers are permitted to distribute Post IDs and/or User IDs solely for the purposes of non-commercial research on behalf of an academic institution, and that has been approved by X in writing, or peer review or validation of such research. Only as many Post IDs or User IDs that is necessary for such research, and has been approved by X may be used. 

Any X Content provided to third parties remains subject to this Policy, and those third parties must agree to the X Terms of Service, Privacy Policy, Developer Agreement, and Developer Policy before receiving such downloads. You may not enable any entity to circumvent any other limitations or restrictions on the distribution of X Content as contained in this Policy, the Developer Agreement, or any other agreement with X.

Note: This Section does not apply to researchers with X API access via Art. 40 of the EU Digital Services Act (2022) (“DSA”), who are instead subject to the procedures and restrictions set forth in the DSA and the Developer Agreement.

 

Pay to engage

Your service shouldn’t compensate people to take actions on X, as that results in inauthentic engagement that degrades the health of the platform. As you use the X API you may not sell or receive monetary or virtual compensation for any X actions. This includes, but is not limited to, Posts, follows, unfollows, reposts, likes, comments, and replies.

 

Service authenticity

You must clearly identify your service so that people can understand its source and purpose. Don’t use names, logos, or URLs that mask your service’s identity and features, or that falsely imply an affiliation with X or third parties. Note that creating applications for the purpose of selling names, or to prevent others from using names, is prohibited.

You may not use any URL (including shortened URLs) for your service that directs people to:

  • A site that is unrelated to your service

  • A spam or malware site

  • A site that encourages people to violate X policy

 

X name, logo, and likeness

You may only use and display the X name and logo to identify X as the source of X Content. You should never use the X name and logo, the X Official Partner Program badge, or any other similar marks or names in a manner that creates a false sense of endorsement, sponsorship, or association with X. The X Brand Resources contain detailed information to help you use the X brand in the right way.

You may only use the X Verified Account badge and any other enhanced account categorization as it is reported to you by X through the API. This helps people know that the content your service displays is equivalent to that shown on X.

 

Advertising on X

There are restrictions regarding how and where you are allowed to advertise around X Content. To start, your advertisements can’t resemble or reasonably be confused by people as a Post. Other rules on advertising include:

  • There must be a clear separation between X Content and your advertisements. You may not place any advertisements within the X timeline other than X Ads.

  • X reserves the right to serve advertising via the X API. If you decide to serve X Ads once we start delivering them via the API, we will share a portion of advertising revenue with you in accordance with the relevant terms and conditions.

  • You may not use X Content, or information obtained from the X API to target people with advertising outside of the X platform.

Chapter 4

Rules for specific X services or features

The following additional rules apply for any use of the X services or features listed below:

 

X login

You must present people with easy to find options to log into and out of X, for example via the OAuth protocol. The Sign in with X option must be displayed at least as prominently as any other sign-up or sign-in feature on your service. You must also provide people without a X account the opportunity to create one via X.

Once someone on your service authenticates via Sign in with X you must clearly display their X identity. X identity includes the person’s current X @handle, avatar, and X logo. Any display of someone’s X followers on your service must clearly show that the relationship is associated with X.

 

X Cards

To ensure a quality experience you must develop your Card to render across all platforms where Cards are displayed. Additional rules that you must follow when using Cards include:

  • You must mark your Post as ‘true’ for sensitive media if you plan to display such media within a Card

  • You must use HTTPS for hosting all assets within your Card. Your Card should never generate active mixed content browser warnings

  • Audio and video content should include stop or pause controls, and default to ‘sound off’ for videos that automatically play content

You may not exceed or circumvent X’s limitations placed on any Cards, including the Card’s intended use. Additional restrictions on Cards use include:

  • You may not place third-party sponsored content within Cards without X’s approval

  • You may not attach monetary incentives (including virtual currency) within your Card or on X from your Card

  • You may not include content or actions within your Card that are misleading or not contextually relevant, such as URLs and media

  • You may only attach an App Card to a Post when someone is explicitly promoting or referring to the app in the Post

 

Definitions

  1. X Content ‒ Posts, Post IDs, X end user profile information, and any other data and information made available to you through the X API or by any other means authorized by X, and any copies and derivative works thereof.

  2. Developer Site ‒ X’s developer site located at https://developer.x.com.

  3. Services ‒ Your websites, applications and other offerings that display X Content or otherwise use the Licensed Material as explicitly approved by X.

  4. Post ID ‒ A unique identification number generated for each Post.

  5. Post ‒ A posting made on X Applications.

  6. “X” ‒ Means (a) X Corp. (1355 Market Street, Suite 900, San Francisco, CA, 94103, USA) if your principal place of business is outside the European Union, EFTA States, and the United Kingdom; or (b) Twitter International Unlimited Company (One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland) if your principal place of business is in the European Union, EFTA States, or the United Kingdom.

  7. Direct Message - A message  that is privately sent on X Applications by one end user to one or more specific end user(s) using X’s Direct Message function.

  8. X API ‒ The X Application Programming Interface (“API”), Software Development Kit (“SDK”) and/or the related documentation, data, code, and other materials provided by X with the API, as updated from time to time, including without limitation through the Developer Site.

  9. X Applications ‒ X’s consumer facing products, services, applications, websites, web pages, platforms, and other offerings, including without limitation, those offered via https://x.com and X's mobile applications.