X (Twitter)
Sign in with X (formerly Twitter) accounts using OAuth 2.0 with PKCE.
1. Create OAuth App
- Go to the X Developer Portal.
- Sign up for a developer account if you don't have one (Free tier available).
- Create a new Project and an App within it.
- Go to your app's Settings > User authentication settings > Set up.
- Configure:
- App permissions: Select Read (minimum required)
- Type of App: Choose Web App, Automated App or Bot
- Callback URI / Redirect URL: Your EdgeBase callback URL (see below)
- Website URL: Your app's URL
If the portal blocks creating another client app, reuse the existing app in your project and enable User authentication settings there. You do not need a separate app just for EdgeBase.
2. Set Redirect URI
Set the Callback URI / Redirect URL to:
https://your-edgebase-url/api/auth/oauth/x/callback
For local development:
http://localhost:8787/api/auth/oauth/x/callback
As of March 8, 2026, the X developer portal accepts a localhost callback URI here, but the general app metadata fields such as Website URL, Organization URL, Terms of Service, and Privacy Policy may still require public-looking https:// URLs in the current UI.
If the portal shows Not a valid URL format, keep the callback URI on http://localhost:8787/... but use public https://... URLs for the other app metadata fields.
3. Get Credentials
In your app's Keys and tokens tab:
- Client ID — Found under OAuth 2.0 Client ID and Client Secret.
- Client Secret — Generated alongside the Client ID.
These OAuth 2.0 credentials only appear after User authentication settings has been enabled for the app.
EdgeBase uses OAuth 2.0 with PKCE. Make sure you copy the OAuth 2.0 credentials (not the OAuth 1.0a API Key and Secret).
4. Configure EdgeBase
// edgebase.config.ts
export default defineConfig({
auth: {
allowedOAuthProviders: ['x'],
},
});
export default defineConfig({
auth: {
oauth: {
x: {
clientId: 'YOUR_CLIENT_ID',
clientSecret: 'YOUR_CLIENT_SECRET',
},
},
},
});
5. Usage
- JavaScript
- Dart/Flutter
- Swift
- Kotlin
- Java
- C#
- C++
client.auth.signInWithOAuth('x');
await client.auth.signInWithOAuth('x');
let url = client.auth.signInWithOAuth(provider: "x")
// Open url in SFSafariViewController or ASWebAuthenticationSession
client.auth.signInWithOAuth("x")
client.auth().signInWithOAuth("x");
client.Auth.SignInWithOAuth("x");
OAuth requires a browser redirect flow. For C++ (Unreal Engine), handle OAuth in a platform webview and pass the token to the SDK.
Provider Details
| Property | Value |
|---|---|
| Scopes | tweet.read users.read |
| PKCE | Required (S256) — mandatory for X OAuth 2.0 |
| No — X does not provide email with these scopes | |
| Email verified | No |
| Avatar | Yes — profile_image_url |
| Refresh token | Yes |
Notes
- X does not provide email addresses with the current scopes (
tweet.read users.read). Users signing in with X will not have an email on their EdgeBase account unless they link another provider or set one manually. - Since no email is available, automatic account linking will not occur. Users must explicitly link accounts if they also have an email-based account.
- PKCE (Proof Key for Code Exchange) is mandatory for X OAuth 2.0 — EdgeBase handles this automatically.
- Token exchange uses Basic Auth credentials.
- The Free tier of X developer access is sufficient for Sign In with X.
- When copying credentials, use the OAuth 2.0 Client ID / Client Secret pair. Do not use the OAuth 1.0a API key, API secret, access token, or bearer token values.
- Local verification was completed on March 8, 2026 against
http://localhost:8787/api/auth/oauth/x/callbackusing the js-web browser harness. The current result was3 passed / 6 skipped, which is expected when the signed-in X account does not unlock password/email/TOTP checks.