PIN-based authorization

The PIN-based OAuth flow is a version of the 3-legged-OAuth process and is intended for applications which cannot access or embed a web browser in order to redirect the user after authorization. Examples of such applications would be command-line applications, embedded systems, game consoles, and certain types of mobile apps.

PIN-based OAuth flow is initiated by an app in the request_token with the oauth_callback set to 'oob' term. The term 'oob' means out-of-band OAuth, if you're curious.  The user still visits Twitter to login or authorize the app, but they will not be automatically redirected to the application upon approving access. Instead, they will see a numerical PIN code, with instructions to return to the application and enter this value.

Note: The callback_url within the Twitter app settings is still required, even when using PIN-based auth.



The PIN-based flow is implemented in the same exact way as 3-legged Authorization (and Sign in with Twitter), with the differences below:

  • Step 1: The value for oauth_callback must be set to 'oob' during the POST oauth / request_token call

  • Step 2: After the user is sent to Twitter to authorize your app using either a GET oauth/authenticate or GET oauth/authorize URL, they will not be redirected to your callback_url, instead they will see a screen with a Twitter generated ~7 digit PIN with directions to enter the PIN into your applications name.

  • Step 3: The user enters this PIN into your application and your application uses the PIN number as the oauth_verifier in the POST oauth/access_token to obtain an access_token.

Note: PIN numbers are not re-usable, the access_token obtained should be used for application-user requests.