[wp-hackers] Twitter API and Authentication

Andy Skelton skeltoac at gmail.com
Tue May 11 14:27:09 UTC 2010

> If you're distributing your plugin for WordPress, you would want to ensure
>> that it doesn't contain any OAuth consumer keys (API keys) or secrets
>> within
>> the source code.

Yeah, that's a major pain. Plugin authors should consider that they
are not providing the Twitter service, but a way for the blogger/admin
to provide their own Twitter service using your plugin. That unfairly
raises the lay user's level of responsibility.

OAuth was made to be easy for users where "users" means people who are
not providing a service, even to themselves. It is a bit harder for
service providers (even self-service, like your plugin's users)
because they have to get an API key. This trashes your plugin's
purpose: "to make it easy for the user".

Speaking of portals, instead of merely providing API keys to end users
you could write your portal to be the OAuth consumer. This way you
would be operating a service in the model for which OAuth was
intended. You would need your own way for your end users' blogs to
authenticate themselves to your server, then you would provide the
link to Twitter. It would again be easy for the user, hard for the

Yeah, that's a major pain. But it lets you provide the value-add.

You try to do something nice for self-hosting bloggers and your
favorite internet juggernaut rolls right over you. Almost makes you
want to drop Twitter altogether.


More information about the wp-hackers mailing list