Overview
Real-time delivery
Receive events instantly as they occur
Push-based
Data sent directly to your server — no polling
Secure
CRC validation and signature verification
Reliable
Retry and recovery support
Products that support webhooks
These are the products that currently support delivering events via webhook:How webhooks work
- Event occurs — A user posts, sends a DM, gets followed, etc.
- X sends a POST request — JSON event payload sent to your registered webhook URL
- You process the event — Your server handles the event data
- Respond with 200 OK — Return a 200 status to acknowledge receipt
Webhook requirements
Endpoints
All endpoints require OAuth2 App Only Bearer Token authentication.
Security
X’s webhook-based APIs provide two methods for confirming the security of your webhook server:- Challenge-Response Check (CRC) — X sends periodic GET requests to your webhook URL. You respond with an HMAC-SHA256 hash to prove you control the endpoint. CRC checks happen on initial registration, hourly, and on manual re-validation.
-
Signature verification — Each POST request from X includes an
x-twitter-webhooks-signatureheader. You can verify this signature to confirm X is the source of incoming events.
See full implementation details
Step-by-step CRC setup, code examples, and signature verification
Webhook validation
A CRC check is sent to your webhook in the following cases:- Immediately upon creation
- On an explicit PUT request (
PUT /2/webhooks/{id}) - Periodically every 30 minutes, but only if the webhook has not been successfully validated in the past 24 hours
- It returns an invalid response to a CRC check
- Returns a 2XX status code but the
response_tokenis incorrect - Returns a 3XX status code
- Results in an SSL exception
- Returns a 2XX status code but the
- It experiences persistent transient errors such that it has not successfully validated for more than 28 hours (includes a 4-hour grace period for transient issues)
- The following responses are treated as transient errors:
- 4XX status code
- 5XX status code
- Request timeout
- Channel closed
- The following responses are treated as transient errors:
GET /2/webhooks endpoint or via the toolbox in the Developer Console.
Getting started
Prerequisites
- An approved developer account
- A Project and App in the Developer Console
- A publicly accessible HTTPS endpoint
- Your app’s consumer secret (API secret key) for CRC validation
Quickstart
Set up your webhook end-to-end
Filtered Stream Webhooks
Receive filtered Posts via webhook
Account Activity API
Receive account events via webhook
Sample apps
Working code examples