Adam Green
Twitter API Consultant

Twitter API Tools: Handling protected accounts

by Adam Green on February 12, 2014

in 140dev Source Code,Twitter API Tools

The previous post touched on some issues of protected accounts that should be pursued in more detail. Twitter’s rules for developers have two basic principles that apply here: Don’t surprise the user, and Respect user privacy. Both certainly apply to revealing data from a protected account.

What becomes clear if you experiment with the code in the user_tweet.php tool is that it is possible to see the last tweet of a protected account. This happens when you request a protected account with OAuth tokens from that same account. This can occur in two ways. You can be using single-user OAuth and then call user_tweet() with that user’s user_id or screen_name. Or you can have a multi-user login system, and call user_tweet() with the tokens for the same user you are asking about.

The important point is that just because you get back a $response->status element in the API response, you can’t assume it is OK to display it or store it in a database. You must always check the $response->protected element first. If that is not empty, or has a value of true, then the account is protected, and you should ignore any tweet data delivered by the API.

I understand why Twitter coded the response for protected accounts the way they did. Their assumption is that when you authorize with a user’s tokens, it is OK to give you all their data. It is your responsibility to not accidentally reveal this data. The safe rule is: If the account is protected, don’t look at the tweets.

Leave a Comment

Previous post:

Next post: