Are you a developer or maintainer of an app that uses Twitter’s incredibly useful Sign in with Twitter functionality?
Are you suddenly getting error messages similar to the one below when trying to log in?
Callback URL not approved for this client application. Approved callback URLs can be adjusted in your application settings
This blog post might be useful.
This error message, part of a 403 Forbidden Error HTTP status code returned on attempting to log in with Twitter, is indicative of the fact that your app’s callback URL which probably worked for months is not yet whitelisted as part of Twitter’s new security policy:
As part of our continued effort to ensure safety and security in our developer platform, we’re announcing a new requirement that any developer using Sign in with Twitter must explicitly declare their callback URLs in a whitelist on apps.twitter.com.
In 30 days, we will begin enforcing the whitelist such that any URL not added to the whitelist will fail. This means that URLs can no longer be programmatically overridden in calls to the
oauth/request_tokenendpoint. The callback_url parameter provided must match one of the whitelisted callback URLs.
To fix this, you need to whitelist your callback URL on apps.twitter.com.
So, how does one whitelist a callback URL?
There are more details on callback URLs here but it’s a very simple fix if you already have one set.
How to whitelist your callback URL:
- Simply log in to apps.twitter.com with your Twitter developer account, select your app and click on the Settings tab.
- Scroll down the page and click on the checkbox to enable the setting “Enable Callback Locking (It is recommended to enable callback locking to ensure apps cannot overwrite the callback url)”.
- Click on the Update Settings button.
If done correctly, your settings will be updated as below on the Details tab:
Hope that helped!
Image credit: jasonbase.com