Twitter boots 143K bad apps, throttles developer access to API

Devs now have to register and will be limited to 10 apps. Those apps have been put on an activity diet: no more endless gorging on spam/privacy invasion/bot-pestering.

We’re sick and tired of our APIs being used to spam, invade privacy and manipulate conversations, Twitter said on Tuesday, announcing that it bumped over 143K bad apps off the platform between April and June.

Yoel Roth of API policy and Rob Johnson, senior director product management, said in a post that in its ongoing efforts to make Twitter healthier and stop malicious apps faster, it’s going to limit the access the apps have to its platform in the first place.

To that end, devs, welcome to a few new hoops you’ll have to jump through to develop Twitter apps – specifically, to develop all of your new, default allotment of 10 apps.

To wit:

No ticket? No laundry. As of Tuesday, all new requests for access to both standard and premium APIs have to go through registration. Twitter introduced a new developer account application process in November that includes use case reviews, policy compliance checks and new protections to prevent the registration of spammy and low-quality apps. So welcome to that: no more free and easy access to the API, nor to the not-free and more firehosey API, for that matter.

Yes, it’s a bit more work, but Twitter thinks it will limit the number of bad actors:

While this change adds a few steps and some additional time to the process of getting started with access to our APIs, we’re committed to supporting all developers who want to build high-quality, policy-compliant experiences using our developer platform and APIs, while reducing the impact of bad actors on our service.

The change means that to get at Twitter’s APIs, you’re going to have to apply for a developer account using the new developer portal at After you’re approved, you can create new apps or manage existing apps on the developer portal, though you can also still manage existing apps on

Same change is coming for existing apps. Twitter will give developers of existing apps at least a 90-day heads-up before it requires them to complete a developer account application in order to maintain their apps.

All developers are going to have to provide detailed information about how they use or intend to use Twitter’s APIs so that the platform can better ensure compliance with its policies. If an app doesn’t comply, it will be rejected. Also, developers that request additional products or features down the line could be looking at additional, more radical policy reviews. That will apply if, say, developers want their apps to post more frequently or at higher volumes than new rate limits allow.

One developer account = 10 apps. The new default number of apps that can be registered by a single developer account is now 10. Need more? You can request permission by using the API Policy support form. Developers who already have more than 10 apps registered can continue to use them – as long as those apps behave and comply with policy.

No more hyperactivity. Twitter’s imposing new rate limits for POST endpoints. That should cut down on spam posts, Twitter says, though the rates will apply to any app that tweets, retweets, likes, follows, or direct messages.

These are the new default limits …

  • Tweets and retweets (combined): 300 per 3 hours
  • Likes: 1000 per 24 hours
  • Follows: 1000 per 24 hours
  • Direct messages: 15,000 per 24 hours

…that will go into effect on 10 September. This is a big drop from the existing rate of POST activity allowed from a single app by default, Twitter says, but at least apps that are playing nicely now can keep on doing what they’re doing: Policy-compliant developers can maintain existing rates of POST activity, plus they can request elevated rate limits if need be.

Twitter’s now reviewing policy of potentially affected apps and plans to let eligible developers know how to request elevated access so their apps won’t be affected when the new rate limits go into effect in September. Check that your email’s up to date so that Twitter can contact you if necessary.

It would have been nice to give a longer chunk of time before introducing a big change like that, Johnson and Roth said. Twitter greased the rails because “protecting our platform and people using Twitter from abuse and manipulation is our highest priority.”

One would imagine that another highest priority is not getting sued by the European Union, fed up as it is with what it says is the feeble, not-fast-enough removals of hate speech, extremist content and propaganda, to name just a few products of the bad-app situation, by Twitter and its social media brethren.

Another highest priority well might be heeding a declaration passed down from Unilever last month when CMO Keith Weed announced that the company’s had it up to here with fake followers and bots.

Earlier this month, Twitter shuttered accounts linked to election hacking. That move followed Twitter’s removal of tens of millions of suspicious, probably fake accounts from users’ followers lists.

Will any of these moves against fake/bot accounts help?

There are skeptics. One such, Geoff Golberg, says he started looking into Twitter’s spam detection tools when somebody bought his Twitter account 10K fake/bot followers. One thing he says he found was a “family of Twitter accounts” he said were falsely representing North Carolina and various North Carolina municipalities to “amplify Trump/right-leaning content in a coordinated fashion.”

In a post on Medium, Golberg said Twitter didn’t take his complaints seriously.

He pointed to this thread …

… from voting system researcher Mike Farb, who describes how Twitter accounts can automatically be created, re-named and re-purposed, while hijacked accounts can be “sanitized” by deleting old tweets and changing their handles, screen names and imagery.

The recent Twitter Purge is a step in the right direction, Golberg says, but it’s just “the tip of the iceberg,” given how tangled the fake-account ecosystem is.