Skip to main content
Deadline: March 31, 2026. Starting March 31, all X/Twitter operations through Ayrshare will require your own X API credentials. After this date, requests without BYO credentials will be rejected. This affects posting, analytics, comments, history, and all other X endpoints.
As of March 31, 2026, X is updating how third-party platforms access its API. As a result, anyone posting to X through a third-party tool must provide their own X API key and API Secret. This is a platform-wide, breaking change mandated by X that affects all third-party tools. To continue posting to X through Ayrshare without interruption, you’ll need to add your credentials by March 31, 2026. We’ve streamlined the setup process to make this as simple as possible, and it should take less than 10 minutes to complete. Follow our step-by-step guide below, and if you need any help along the way, our team is here to assist.

Step 1: Create Your X Developer Account

1

Sign in to the Developer Console

Go to console.x.com and sign in with your X account. See X’s getting started guide if you need help.X Developer Console sign-in page
2

Complete onboarding

Complete the developer onboarding and accept the Developer Agreement and policies.
3

Access the console

You’re now in the X Developer Console.

Step 2: Create an App

1

Navigate to Apps

In the Developer Console, navigate to Apps.Apps page in X Developer Console
2

Create the app

In the App dashboard, click Create App (see X’s App setup docs for details). Enter an app name — typically your brand name. This name will appear in the OAuth authorization screen when users connect their X account.Create App button in the X Developer Console
3

Select environment

Select the Production environment in the dropdown.Production environment selection and credentials popup
4

Close the initial credentials popup

X will generate several credentials. Ignore these credentials and close this window.

Step 3: Configure App Permissions

1

Open your app settings

Under “Apps,” locate the new app (refresh the page if it doesn’t appear), then click it to view its details.App details page in the X Developer ConsoleUnder User authentication settings, click Set up.User authentication settings — click Set up
2

Set app permissions

Under App permissions, select Read and write and Direct message. This is required for full feature support, including posting and DMs.App permissions set to Read and write and Direct message
3

Set app type

Under Type of App, select Web App, Automated App or Bot. This is the right choice for server-side integrations like Ayrshare.Type of App set to Web App, Automated App or Bot
4

Set callback and website URLs

Under App info:
  • Callback URL: https://api.ayrshare.com/social-accounts (required for future dashboard linking; harmless to set now even if you’re API-only)
  • Website URL: https://api.ayrshare.com
App info form with callback URL and website URL filled in
5

Save your settings

Click Save. You can ignore the OAuth 2.0 popup — you will only be using the 4 OAuth 1.0 keys.
Important: Regenerate your OAuth 1.0 Keys after changing permissions. Access Tokens are created with the permissions that exist at the moment they are generated. If you initially created your app with “Read” access and later changed it to “Read and write,” your existing Access Token will still only have “Read” permissions.To apply the updated permissions:
  • Under OAuth 1.0 Keys, use the Regenerate and Generate buttons to get new tokens with the updated permissions.
  • You can verify it worked: the Access Token section will show the current permission level (e.g., “Read and write”).
Keys and tokens page showing OAuth 1.0 keys with permission level
Please make sure you store all 4 of these keys:
  1. X API Key (aka Consumer Key, the X app identifier)
  2. API Secret (aka Consumer Secret)
  3. Access Token
  4. Access Token Secret

Step 4: Purchase X API Credits

X now uses credit-based API billing, purchased through the developer console.
1

Navigate to billing

In the Developer Console, click Billing → Credits in the left sidebar.Billing Credits page in X Developer Console
2

Purchase credits

Purchase credits (the minimum is $5, which is enough for hundreds of API calls). Each API call is a fraction of a penny, so the cost should be minimal for most users.Credit purchase page in the X Developer Console
3

Enable auto-recharge

You can enable auto-recharge to avoid service interruptions, and manage your spend cap by setting a maximum amount you can spend in your billing cycle.Auto-recharge and spend cap settings in X Developer Console
Your API calls will fail without credits. X’s API is now pay-per-use — if your credit balance is zero, every API request will return a 402 CreditsDepleted error with the message “Your enrolled account does not have any credits to fulfill this request.” This includes posting, reading tweets, and user lookups. Load credits before testing your integration. See How X API Pricing Works for a full update on X’s pricing.

Step 5: Update Your Ayrshare API Calls

In Step 3, you saved these 4 items securely in your own env, config, or secrets manager:
  1. X API Key (aka Consumer Key, the X app identifier)
  2. API Secret (aka Consumer Secret)
  3. Access Token
  4. Access Token Secret
Now, add your X credentials to the headers of your Ayrshare API calls.
Your keys stay private. Ayrshare does not log, store, or retain your API keys or secrets. Your credentials are passed directly to X and discarded.

Header Reference

HeaderValue
X-Twitter-OAuth1-Api-KeyAPI Key (Consumer Key)
X-Twitter-OAuth1-Api-SecretAPI Key Secret (Consumer Secret)
X-Twitter-OAuth1-Access-TokenAccess Token
X-Twitter-OAuth1-Access-Token-SecretAccess Token Secret
How to tell if your permissions are wrong:
  • If your app permissions are misconfigured, your API request may return a 403 Forbidden error with the message: “Your client app is not configured with the appropriate OAuth1 app permissions.”
  • You may also see the response header: x-access-level: read. This indicates your Access Token was generated with read-only permissions.
If your app is configured for “Read and write,” you’ll need to regenerate your OAuth 1.0 Access Token so it inherits the updated permissions.

Code Examples

curl -X POST https://api.ayrshare.com/api/post \
  -H "Authorization: Bearer YOUR_AYRSHARE_API_KEY" \
  -H "X-Twitter-OAuth1-Api-Key: your_api_key" \
  -H "X-Twitter-OAuth1-Api-Secret: your_api_secret" \
  -H "X-Twitter-OAuth1-Access-Token: your_access_token" \
  -H "X-Twitter-OAuth1-Access-Token-Secret: your_access_token_secret" \
  -H "Content-Type: application/json" \
  -d '{"post": "Hello from my own X App!", "platforms": ["twitter"]}'
Your existing automations and workflows will continue working — just include the 4 BYO headers in every request that targets X.

Verify Your Setup

Make a test call through the Ayrshare API with your new headers to confirm everything is working. The /analytics/social endpoint is a good lightweight test — it won’t create any posts.

How X API Pricing Works

Previously, Ayrshare covered the cost of X’s API usage on your behalf. Under X’s updated model, each user maintains their own X Developer account and pays X directly for the API requests their application makes. X’s new model is pay-per-use: you purchase credits in the X Developer Console, and they are deducted as API requests are made. No contracts or subscriptions are needed. Typical operations are inexpensive. For example:
OperationApproximate cost
Creating a post (text only)~$0.01 per post
Creating a post with media~$0.02 per post (media upload and post creation are separate requests)
Reading a post~$0.005 per read
User lookup~$0.01 per lookup
Sending a DM~$0.01 per message
Reading DM events~$0.01 per event
User interactions (follow, like, etc.)~$0.015 per request
For context, if you’re posting about 100 times per month, your direct X cost would likely be around $1, and posts with media would be roughly $2 per month.
X’s pay-per-use pricing is currently in a pilot phase. Rates are subject to change, and additional costs may be introduced. Always check the Developer Console for the most current pricing. See X’s pricing information breakdown.
We know this introduces a cost that didn’t exist before, and we want to be transparent about that. At the same time, this model also unlocks several benefits that weren’t possible under the previous shared-key setup.

Benefits of Using Your Own X API Key

Using your own X API credentials provides more control and reliability than the previous shared-key model. This includes:
  • Branded OAuth experience: Users see your app name and branding when authorizing X access.
  • Dedicated rate limits: Your API usage is separate from other Ayrshare users, so activity on the platform won’t affect your limits. You can monitor your usage and rate limits in the X Developer Console and review the X API rate limits documentation.
  • Credential control: Your API Key and Secret stay in your own X Developer account. Ayrshare does not store your secret keys.
  • Portability: Because users authenticate with your X App, your integration remains fully under your control.
  • Usage visibility: Your X Developer dashboard shows API requests, rate limits, and credit usage.
X is the first platform requiring this model, but more platforms are moving toward “bring your own API key.” We’re expanding this capability across Ayrshare, so developers have the same control and independence across all social platforms.

Security

FAQ

Starting March 31, 2026, all X operations through Ayrshare will require your own X API credentials. We recommend setting up your X Developer account and updating your integration before this date.
After March 31, 2026, posting to X through Ayrshare will stop working. Posting to other platforms (Instagram, LinkedIn, Facebook, TikTok, etc.) will continue as normal.
X charges per API call. Creating a post costs about $0.01, and reading a post costs about $0.005. For example, publishing 100 posts per month would cost roughly $1. See X’s pricing page for the full details.
No. Your Ayrshare subscription price stays the same. The only additional cost is the X API usage fee billed directly by X through your developer account.
Your credentials are used only for the request and are not stored or logged. For general security best practices, see X’s authentication security guide.
Yes. You can use your existing X App as long as it has “Read and write” permissions enabled (and Direct Messages if you use DM features).You’ll need to include your four OAuth 1.0a credentials (API Key, API Key Secret, Access Token, and Access Token Secret) in the headers of your Ayrshare API requests. These can be found in the Keys and tokens section of the X Developer Console.If your Access Token was created before updating the app permissions, you’ll need to regenerate it so the token inherits the updated access level. For instructions, see Step 3.
We know X’s “Keys and tokens” page can be confusing. You need all 4 OAuth 1.0a values — API Key, API Key Secret, Access Token, and Access Token Secret. See the header reference table above for exactly which Ayrshare header each one maps to. You can ignore the Client ID, Client Secret, and Bearer Token.
They’re completely different credentials for different authentication methods:
  • API Key (also called “Consumer Key”) is for OAuth 1.0a — this is what Ayrshare uses for BYO. It works with all X features, tokens never expire, and no refresh logic is needed.
  • Client ID is for OAuth 2.0 — you do NOT need this for Ayrshare. OAuth 2.0 tokens expire after a short period and require refresh token management.
For Ayrshare, you only need the 4 OAuth 1.0a credentials: API Key, API Key Secret, Access Token, and Access Token Secret. You can ignore the Client ID and Client Secret.
OAuth 2.0 access tokens expire every 2 hours and X’s refresh tokens are single-use (each refresh invalidates the old token). This makes it impossible to support a stateless BYO model, especially for scheduled posts. OAuth 1.0a tokens never expire, work with all X features, and require zero token management.
No. This change only affects posting to X. All other platform integrations in Ayrshare continue working as usual.
RSS auto-posting to X is no longer supported. RSS feeds run automatically on a schedule, but the bring-your-own API key model requires credentials to be provided with each API request. Because of this, RSS feeds cannot authenticate when the post is sent.If you previously used RSS to post to X, we recommend switching to scheduled posts or direct API calls that include your credentials. RSS auto-posting to all other platforms is unchanged.
This means your X Developer account has no API credits available. Go to console.x.comBilling → Credits and purchase credits. Even $5 is enough for hundreds of API calls. Once credits are loaded, retry your request.
Your Access Token doesn’t have the right permissions. This usually means one of two things:
  1. Your app permissions are set to “Read” instead of “Read and write.” Go to your app’s Settings in the Developer Console and change it to Read and write and Direct message.
  2. You changed permissions but didn’t regenerate your Access Token. Old tokens keep the permissions they were created with. Go to Keys and tokens → Access Token and Secret → Regenerate. The new token will inherit the updated permissions.
You can confirm this: the Access Token section in the Developer Console shows the current permission level (e.g., “Read and write”).
Our support team is happy to help. If you have any questions or run into issues during setup, please reach out via support@ayrshare.com, and we’ll walk you through the process.

Troubleshooting

All 4 OAuth 1.0a headers are required for every X/Twitter request. Check that you’re sending all of them:
  • X-Twitter-OAuth1-Api-Key
  • X-Twitter-OAuth1-Api-Secret
  • X-Twitter-OAuth1-Access-Token
  • X-Twitter-OAuth1-Access-Token-Secret
The error message will tell you which specific headers are missing.
Your X Developer account has no API credits loaded. Go to console.x.comBilling → Credits and purchase credits. Even $5 is enough for hundreds of API calls.
Your Access Token doesn’t have the right permissions. This usually means:
  1. Your app permissions are set to “Read” instead of “Read and write.” Go to your app’s Settings in the Developer Console and change it to Read and write and Direct message.
  2. You changed permissions but didn’t regenerate your Access Token. Old tokens keep the permissions they were created with. Go to Keys and tokens → Access Token and Secret → Regenerate.
You can also check the x-access-level response header — if it shows read, your Access Token was generated with read-only permissions and needs to be regenerated.You can verify the fix — the Access Token section in the Developer Console shows the current permission level.

Need Help?

If you have any questions or run into issues while setting up your X API key, our engineering team is happy to help. You can reach us anytime at support@ayrshare.com.