How I got burned by Twitter's API, why it matters, and how to fix it

Last week I discovered I was using Twitter too much. After an hour online with Twhirl, I got this message in the app: "Limit exceeded, paused 5 min." The error condition cleared up shortly, but the next morning, after just a few minutes, it came back and did not resolve. I had to go back to accessing Twitter via the Twitter.com site, where I still had access.

I had been bitten by a deficiency in Twitter's API (application programming interface), which allows alternate interfaces like Twhirl to work at all. The problem, it turns out, is temporarily fixable for end users, but Twitter is going to need to recode its API if it wants to make the Twitter platform for third-party apps and services more robust. And other Web 2.0 architects would do well to study this issue so they don't fall into the same hole.

I was schooled on the ins and outs of the Twitter API in part by my followers on Twitter, but also by Oren Michels, CEO of Mashery, a company that offers API services to Web 2.0 companies. Here's the lowdown:

The Twitter service limits the number of updates a user can get from it to 70 per hour. There's no limit if you're using Twitter.com, but if you want to use Twhirl or Friendfeed or Flock to read your Twitter account, the Twitter service keeps track of how many requests you're sending it and cuts you off if you exceed the limit.

Who's stealing my Twitter updates? Oh, wait, it's me.

The problem is that all the Twitter apps you use count to your total. It's cumulative. Once an app, or more importantly, a Web service, has your Twitter log-in credentials, it can keep requesting Twitter updates on your behalf even you aren't using the service anymore. And that's what happened to me: I use Twhirl heavily, but not that heavily. It's the other dozen or so services I've signed up to over the past few months that were pinging Twitter for me and using up my allotment of updates.

There's a temporary fix for people in my boat, and it's very simple: Change your Twitter password. That will cause all the previously-configured connections to Twitter to break, and they'll stop using up your API calls. Just reconfigure the apps you do want to use with your new password and you're back in business. Thanks to my Twitter friend Scott Mahan for this tip. But this is a hack, and an inelegant one.

A better solution would be for Twitter to authorize access to its API by user and application, so users, or the Twitter team itself, could throttle or disconnect just the apps that hog the API without cutting people off from apps that are working fine.

The new OAuth protocol is designed specifically to solve this issue for all services. It combines user credentials with application keys to let developers and users control access to online services not just based on user ID, but which app wants to use the service. Fire Eagle, the new location-caching service by Yahoo, uses OAuth in just this way, and it has some nice frills on top: It gives users a dashboard showing them which apps they've authorized to their Fire Eagle data. It also allows credentials to apps to expire after a certain time, so you're not left with a lot of forgotten apps pinging your personal data.

OAuth is a lot like OpenID (and in fact is modeled after OpenID in some respects) except it's designed to authorize program-to-program communication, not user-to-service log-ins.

Flickr, a pre-OAuth service, also makes for a good example. When you want to give an app access to your Flickr account, the app kicks off a process on Flickr itself in which you authorize the specific app to act on your behalf.

If Twitter is to survive (and potentially make money) as a service provider, it's going to need some way to let apps get priority access to data via an API, and its current log-in-based throttle won't cut it.

Since we're moving toward a Web world in which services and social networks are far more important than their interfaces--and where the best interface builders are often not employed by the companies that make the services they are writing apps for--getting APIs right is critical. Twitter, as much as I love it, got it wrong. I hope architects of new Web 2.0 services don't repeat the same errors.

[DorianBenkoil]

Great to know this -- and great point about API's.

[therazorblade]

Always nice to see people get it!

OAuth isn't focused on server to server communication but on delegating user authentication. It allowes third party to act on behalf of a user without their private credentials (i.e. password). OAuth started as a way to allow using OpenID in API calls.

[penkapp]

Is this also true for SSBs, like Fluid and Prism? Probably not.

[phdunay]

Thanks Rafe

I was having a different problem with the new version Twhirl - it wasnt allowing me to login at all.
So I changed my password and bingo I am in - thanks a bunch
I suspect others may be having this problem

[joshlevy]

Raef, good points and happy to see OAuth getting the respect it deserves. This is such an important part of web applications communicating with each other on a user's behalf.

For anyone interested in seeing how it works, we recently released a Screencast of how our API is using the OAuth protocol http://www.viddler.com/explore/beenverified/videos/23

[trhoads82]

I think that it is interesting that you blame twitter for blocking API access when you are not using the what 5 or 6 programs to access. If you are only using one take the resposnibility to shut down the others.

Secondendly while yes twitter should be able to shut down an individuals app that requires alot of overhead and tracking on their behalf. Changing the password once again puts the responsibility on you. why shouldn't a user be responsible for the way they are accessing or how often? I Think in the larger schem a password change is a pretty eleigent way of fixing this.

[twitmoney]

Looking at the above article, i'm disappointed. But i'm also confused whether the services i'm trying to use has something to do with this limitations. I will have many people sending messages to 2 of my accounts in twitter ... they could be 100s or 1000s per hour. Will this be an issues?
On the other hand, i will have an application which uses twitter api, to get the messages sent to these 2 twitter accounts and stored them in database ... WILL THIS BE A PROBLEM with twitter api limitations.?
And simultaneously .. i will have another part in the same application, where in these 2 users will send direct messges to many twitter a/cs ...

HELP HELP HELP

Thanks
Mahesh

[DoctorTwitter_com]

whats the update on the OAuth because my auto apply on http://doctortwitter.com is using curl and just authenticating the original way..I want to get a jump on getting it coded for the new Oauth while everything is still early in development and they completely do away with the old method.

[shortguyy]

You should check out www.TwitBuddies.com! Its a cool website that lets you check if two people are friends on twitter. Have a look at http://twitbuddies.com/index2.php?user2=BritneySpears&user1=Google and see if Google and Britney Spears are friends!