| title | sidebarTitle | description | icon |
|---|---|---|---|
Developer Guidelines |
Developer Guidelines |
A practical guide to what's allowed and what's not when building with the X API. |
scale-balanced |
Before building, ask yourself these questions. If you answer "no" to any of them, your app likely violates X's policies.
For interactions, did the user **explicitly request** it? Is your app's purpose and behavior **clear to users**? (Automated accounts must be labeled.) Can users **easily opt out** of any ongoing interactions? Does it provide **real value** beyond self-promotion? Are you **only using the official API** (not scraping/browser automation)? Are you **within rate limits** and respecting usage policies? When in doubt, ask: "Would a user be happy with this experience?" If not, reconsider your approach.Real-world examples to help you understand what's permitted. These rules apply to all apps—whether you're building a bot, mobile app, web integration, browser extension, analytics dashboard, or any other tool that uses the X API.
| Scenario | Allowed? | Why | |----------|:--------:|-----| | Automated account posts scheduled content (news, weather, quotes) | | Informational, no unsolicited mentions | | App posts RSS feed updates on behalf of user | | Helpful broadcasting | | Alert service posts earthquake/disaster notifications | | Public safety value | | Sports app posts game updates to user's timeline | | Informational | | App posts stock/crypto prices on schedule | | Informational, no manipulation | | App posts identical content across multiple accounts | | Spam / platform manipulation | | App posts to trending topics to gain visibility | | Trend manipulation | | Multiple city-specific alert accounts (e.g., @WeatherNYC, @WeatherLA) | | Allowed—non-duplicative, location-specific content | | Scenario | Allowed? | Why | |----------|:--------:|-----| | App responds to @mentions asking for help | | User-initiated request | | App auto-replies to anyone mentioning a keyword | | Unsolicited interaction | | App auto-replies to users who reply to your post | | User engaged first—limit 1 reply. [Conditions apply](#gray-areas-explained) | | AI-powered app generates and posts replies | | Requires **prior approval** from X | | App replies with "follow me for more!" to random users | | Spam, unsolicited | | Utility app that unrolls threads when mentioned | | User-initiated utility | | Scenario | Allowed? | Why | |----------|:--------:|-----| | App responds to DMs with helpful info | | User-initiated | | App sends affiliate links when user DMs first | | User-initiated—must disclose. [Conditions apply](#gray-areas-explained) | | App auto-DMs new followers with welcome message | | Unsolicited, even to followers | | App bulk-DMs users about a product launch | | Spam | | Support integration asks "How can I help?" after user DMs | | User-initiated conversation | | Scenario | Allowed? | Why | |----------|:--------:|-----| | App auto-likes posts containing a hashtag | | Automated likes banned | | Mobile app has "auto-like" feature for selected users | | Automated likes banned | | App reposts content from a curated list | | OK for informational purposes, no bulk spam. [Conditions apply](#gray-areas-explained) | | Growth tool bulk-follows accounts to grow audience | | Manipulation | | App follows back anyone who follows it | | Bulk/aggressive following | | App adds users to lists in bulk | | Indiscriminate list manipulation |<Warning>**Automated likes are banned with no exceptions.** This applies to all apps—bots, mobile apps, browser extensions, or any integration.</Warning>
<Danger>
**Non-API automation (scraping, browser automation) results in permanent suspension.** Always use the official X API.
</Danger>
These activities will get your app suspended or permanently banned. There are no exceptions.
| Category | Examples |
|---|---|
| Spam & Manipulation | Identical content across accounts, fake engagement, trend manipulation, bulk posting |
| Unsolicited Outreach | Auto-replies to random users, bulk DMs, uninvited @mentions |
| Deceptive Bots | Impersonating humans, hiding bot identity, misleading links/redirects |
| Engagement Selling | Apps that sell likes, follows, retweets, or views |
| Rate Limit Abuse | Exceeding limits, designing apps that encourage overuse |
| Non-API Automation | Browser scripting, scraping, any automation outside official API |
| Account Farms | Multiple accounts for same duplicative purpose |
| Surveillance | Profiling, tracking, or monitoring users without consent |
| Unauthorized AI Training | Using X data to train ML models (Grok excepted) |
| Sensitive Data Derivation | Inferring health, political, religious, or other sensitive attributes |
| Excessive Redistribution | Sharing >1.5M Post IDs per 30-day period |
This section applies specifically to **automated accounts** (bots) that post, reply, or interact on behalf of users. If you're building an analytics dashboard, research tool, or other non-automated app, these labeling requirements don't apply to you—but the technical restrictions still do.
All automated accounts using the X API must meet these requirements:
This label appears under your bot's name/handle on its profile. Enable it in your app settings to ensure transparency. State clearly that it's a bot and who operates it. Example: *"Bot by @yourcompany"* or *"Automated account managed by Example Inc."* For accountability and contact purposes, your bot must be associated with a human-managed account. If a user says "stop," stop. Implement keyword detection for common opt-out phrases. No scraping, browser automation, or unofficial methods. Violations result in permanent suspension. Don't try to circumvent or abuse rate limits. Design your app to handle limits gracefully.| Action | Allowed? | Rules |
|---|---|---|
| Post tweets | No unsolicited @mentions. No identical cross-posting. | |
| Reply to users | Only if user engaged first. Max 1 reply per interaction. | |
| Send DMs | Only after user DMs you first. Easy opt-out required. | |
| Like posts | Automated likes are banned. No exceptions. | |
| Repost | OK for informational/entertainment. No bulk spam. | |
| Quote tweet | Same rules as repost—no spam or manipulation. | |
| Follow/Unfollow | No bulk, aggressive, or automated following. | |
| Add to Lists | No bulk or indiscriminate additions. | |
| Bookmark | Fine for personal/automated use. | |
| Search/Read | Standard use within rate limits. |
Many developers have questions about edge cases. Here's guidance on common gray areas.
**Allowed if:** - User explicitly requests it (e.g., DMs asking for a recommendation) - You clearly disclose the affiliate/sponsored relationship - Links are not misleading (no deceptive redirects)<Warning>
**Not allowed if:**
- You auto-reply to random posts with affiliate links
- You DM users who didn't ask
- You hide the commercial relationship
</Warning>
<Warning>Deploying AI-generated replies without approval is a violation, even if the content itself is helpful.</Warning>
**Alternatives:**
- Pinned tweet welcoming new followers
- Bio with intro info and links
- Auto-reply only if they DM you first
<Warning>
**Not allowed if:**
- Posting identical/similar content across accounts
- Created to evade suspensions or rate limits
</Warning>
<Warning>
**Not allowed if:**
- You reach out to users who complained publicly (unsolicited)
- Responses are primarily promotional
</Warning>
<Tip>Consider entry methods that don't require engagement actions, like replying with a specific phrase.</Tip>
These requirements are legally binding under the Developer Agreement. Non-compliance can result in termination and legal action.
You must delete X Content from your systems when requested:
| Trigger | Deadline |
|---|---|
| X requests deletion | 24 hours |
| User requests deletion | 24 hours |
| Content is suspended/removed on X | 24 hours |
| Your API access is terminated | 10 business days (must delete all X data) |
Off-X matching means associating X data (username, user ID, posts) with off-platform identifiers (your customer database, email lists, device IDs, etc.).
**Allowed with express opt-in consent:** - User explicitly agrees to link their X account with your service - Clear disclosure of what data will be matched and why **Without consent, you may only match:** - Information the user directly provided to you - Publicly available X data (posts, bio, display name, username) - Public resources like professional directoriesNever match if it would surprise the user.
You **cannot** derive, infer, or store information about X users in these categories:| Category | Examples |
|---|---|
| Health | Medical conditions, pregnancy, disabilities |
| Financial status | Negative financial condition, credit issues |
| Political | Party affiliation, political beliefs, voting |
| Racial/Ethnic | Origin, ethnicity |
| Religious/Philosophical | Beliefs, affiliations |
| Sex life/Sexual orientation | Any inference about sexuality |
| Trade union | Membership or affiliation |
| Criminal | Alleged or actual criminal activity |
| Requirement | Details |
|---|---|
| Attribution | Use proper X branding. Follow Brand Guidelines. |
| No alterations | Only modify for display formatting (resizing). Don't edit content, remove timestamps, or strip metadata. |
| No iframes | Don't display X Content in iframes. Use official embeds or render directly. |
| Respect removals | Remove content within 24 hours if deleted on X. |
These limits apply to all developers. Exceeding them can result in rate limiting or suspension.
| Restriction | Limit |
|---|---|
| Post ID redistribution | Max 1.5M Post IDs per 30-day period to any single entity |
| Hydrated content redistribution | Max 50,000 hydrated Posts or Users per recipient per day |
| Rate limits | Vary by endpoint and tier—see API docs |
| AI/ML training | Prohibited (except for Grok) |
| Non-API access | Prohibited—scraping and browser automation = permanent ban |
| Competitive benchmarking | Prohibited—can't measure X performance vs. competitors |
| Multiple apps for same use case | Prohibited—don't create duplicate apps to bypass limits |
| Use Case | Requirement |
|---|---|
| Government use | Requires Enterprise tier |
| Commercial use | Requires appropriate paid tier; free tier is non-commercial only |
| Academic research | May have different redistribution limits; contact X for details |
| EU Digital Services Act research | Specific non-commercial research provisions available |
Your obligations as a developer:
- Use **industry-standard security** practices to protect X data - Never share your API credentials or tokens - Store credentials securely (environment variables, secret managers—not in code) - Implement proper authentication in your apps If you experience a security breach involving X data: - **Notify X immediately** - Take steps to mitigate the breach - Cooperate with X's investigation - Treat any non-public information from X as confidential - Don't disclose API rate limits, internal X data, or non-public features - Don't use confidential info for competitive purposes - X may audit your compliance **up to once per year** - You must provide reasonable access and documentation - Keep records of how you use X data**For Automated Accounts:** - Enable "Automated" profile label - Disclose operator in bio - Wait for users to initiate interaction - Provide easy opt-out - Get approval for AI-generated replies
**For All Apps:**
- Use only the official X API
- Respect rate limits and redistribution limits
- Delete content within 24 hours when requested
- Get opt-in consent for off-X matching
- Use proper attribution when displaying X Content
- Secure your credentials and notify X of breaches
- Keep records of your X data usage
**For All Apps:**
- Scrape or use browser automation
- Train AI/ML models on X data (except Grok)
- Derive sensitive user data (health, politics, religion, etc.)
- Match X data to off-platform IDs without consent
- Display X Content in iframes
- Redistribute more than limits allow
- Create multiple apps for the same use case
- Use X data for surveillance or user tracking