Developer Guidelines

Violations can result in app suspension, API access revocation, or permanent account bans. Always review the official policies before building.

Developer Agreement

Binding legal terms for API access

Developer Policy

Rules for building on X

Automation Rules

Specific rules for bots

Restricted Use Cases

Prohibited activities

Quick check: is my app allowed?

Before building, ask yourself these questions. If you answer “no” to any of them, your app likely violates X’s policies.

User-initiated?

For interactions, did the user explicitly request it?

Transparent?

Is your app’s purpose and behavior clear to users? (Automated accounts must be labeled.)

Easy opt-out?

Can users easily opt out of any ongoing interactions?

Real value?

Does it provide real value beyond self-promotion?

Official API only?

Are you only using the official API (not scraping/browser automation)?

Within limits?

Are you within rate limits and respecting usage policies?

When in doubt, ask: “Would a user be happy with this experience?” If not, reconsider your approach.

Common scenarios: allowed or not?

Real-world examples to help you understand what’s permitted. These rules apply to all apps—whether you’re building a bot, mobile app, web integration, browser extension, analytics dashboard, or any other tool that uses the X API.

Scenario	Allowed?	Why
Automated account posts scheduled content (news, weather, quotes)		Informational, no unsolicited mentions
App posts RSS feed updates on behalf of user		Helpful broadcasting
Alert service posts earthquake/disaster notifications		Public safety value
Sports app posts game updates to user’s timeline		Informational
App posts stock/crypto prices on schedule		Informational, no manipulation
App posts identical content across multiple accounts		Spam / platform manipulation
App posts to trending topics to gain visibility		Trend manipulation
Multiple city-specific alert accounts (e.g., @WeatherNYC, @WeatherLA)		Allowed—non-duplicative, location-specific content

Scenario	Allowed?	Why
App responds to @mentions asking for help		User-initiated request
App auto-replies to anyone mentioning a keyword		Unsolicited interaction
App auto-replies to users who reply to your post		User engaged first—limit 1 reply. Conditions apply
AI-powered app generates and posts replies		Requires prior approval from X
App replies with “follow me for more!” to random users		Spam, unsolicited
Utility app that unrolls threads when mentioned		User-initiated utility

Scenario	Allowed?	Why
App responds to DMs with helpful info		User-initiated
App sends affiliate links when user DMs first		User-initiated—must disclose. Conditions apply
App auto-DMs new followers with welcome message		Unsolicited, even to followers
App bulk-DMs users about a product launch		Spam
Support integration asks “How can I help?” after user DMs		User-initiated conversation

Scenario	Allowed?	Why
Third-party app lets user tap a like button on a post		User-initiated through the app
App auto-likes posts containing a hashtag		Automated, not user-initiated
Mobile app has “auto-like” feature for selected users		Automated, not user-initiated
Service sells likes or offers “bulk like” packages		Selling engagement is prohibited
App reposts content from a curated list		OK for informational purposes, no bulk spam. Conditions apply
Growth tool bulk-follows accounts to grow audience		Manipulation
App follows back anyone who follows it		Bulk/aggressive following
App adds users to lists in bulk		Indiscriminate list manipulation

Likes must be directly initiated by the authenticated user. Automated, bulk, or indiscriminate liking — including auto-liking by keyword, hashtag, user, or schedule — is prohibited. Apps may not offer “auto-like” features or sell likes as a service. This applies to all apps—bots, mobile apps, browser extensions, or any integration.

Scenario	Allowed?	Why
App sends product recommendations when asked		User-initiated
App replies to random posts with affiliate links		Unsolicited spam
Giveaway app that requires follows/retweets to enter		Risky—can be seen as engagement manipulation
Service selling likes/follows/retweets		Strictly prohibited
Tip service that sends crypto when user requests		User-initiated—comply with financial regulations. Conditions apply

Scenario	Allowed?	Why
App tracks brand mentions for analytics dashboard		Valid use case
App scrapes X via browser automation (not API)		Permanent suspension—API only
App stores X data to train AI/ML models		Prohibited (except Grok)
App redistributes >1.5M posts in 30 days		Exceeds redistribution limits
App benchmarks X performance vs competitors		Prohibited competitive analysis
Academic research on public conversation trends		Valid with proper data handling

Non-API automation (scraping, browser automation) results in permanent suspension. Always use the official X API.

Prohibited activities

These activities will get your app suspended or permanently banned. There are no exceptions.

Category	Examples
Spam & Manipulation	Identical content across accounts, fake engagement, trend manipulation, bulk posting
Unsolicited Outreach	Auto-replies to random users, bulk DMs, uninvited @mentions
Deceptive Bots	Impersonating humans, hiding bot identity, misleading links/redirects
Engagement Selling	Apps that sell likes, follows, retweets, or views
Rate Limit Abuse	Exceeding limits, designing apps that encourage overuse
Non-API Automation	Browser scripting, scraping, any automation outside official API
Account Farms	Multiple accounts for same duplicative purpose
Surveillance	Profiling, tracking, or monitoring users without consent
Unauthorized AI Training	Using X data to train ML models (Grok excepted)
Sensitive Data Derivation	Inferring health, political, religious, or other sensitive attributes
Excessive Redistribution	Sharing >1.5M Post IDs per 30-day period

Automation rules

This section applies specifically to automated accounts (bots) that post, reply, or interact on behalf of users. If you’re building an analytics dashboard, research tool, or other non-automated app, these labeling requirements don’t apply to you—but the technical restrictions still do.

Requirements for automated accounts

All automated accounts using the X API must meet these requirements:

Enable the 'Automated' profile label

This label appears under your bot’s name/handle on its profile. Enable it in your app settings to ensure transparency.

Disclose in bio

State clearly that it’s a bot and who operates it. Example: “Bot by @yourcompany” or “Automated account managed by Example Inc.”

Link to a human-managed account

For accountability and contact purposes, your bot must be associated with a human-managed account.

Honor opt-out requests immediately

If a user says “stop,” stop. Implement keyword detection for common opt-out phrases.

Use only the official X API

No scraping, browser automation, or unofficial methods. Violations result in permanent suspension.

Stay within rate limits

Don’t try to circumvent or abuse rate limits. Design your app to handle limits gracefully.

Automated actions: what’s allowed?

Action	Allowed?	Rules
Post tweets		No unsolicited @mentions. No identical cross-posting.
Reply to users		Only if user engaged first. Max 1 reply per interaction.
Send DMs		Only after user DMs you first. Easy opt-out required.
Like posts		Must be directly user-initiated. Auto-liking, bulk liking, and selling likes are prohibited.
Repost		OK for informational/entertainment. No bulk spam.
Quote tweet		Same rules as repost—no spam or manipulation.
Follow/Unfollow		No bulk, aggressive, or automated following.
Add to Lists		No bulk or indiscriminate additions.
Bookmark		Fine for personal/automated use.
Search/Read		Standard use within rate limits.

Gray areas explained

Many developers have questions about edge cases. Here’s guidance on common gray areas.

Affiliate links & promotions

Allowed if:

User explicitly requests it (e.g., DMs asking for a recommendation)
You clearly disclose the affiliate/sponsored relationship
Links are not misleading (no deceptive redirects)

Not allowed if:

You auto-reply to random posts with affiliate links
You DM users who didn’t ask
You hide the commercial relationship

AI-generated content & replies

Requires prior approval from X before deployment
Must still follow all rules (no unsolicited mentions, properly labeled)
Contact X via the Policy Support form before launching
Even with approval, cannot impersonate humans

Deploying AI-generated replies without approval is a violation, even if the content itself is helpful.

Welcome messages to new followers

Not allowed as automated DMs—this counts as unsolicited contact, even though they followed you.Alternatives:

Pinned tweet welcoming new followers
Bio with intro info and links
Auto-reply only if they DM you first

Multiple accounts / regional bots

Allowed if:

Each account serves non-duplicative purposes (e.g., @EarthquakeJP, @EarthquakeCA)
Content is meaningfully different (location-specific, language-specific)
Not used to bypass limits or amplify the same message

Not allowed if:

Posting identical/similar content across accounts
Created to evade suspensions or rate limits

Customer support automation

Allowed if:

User initiates (mentions you, DMs you, or explicitly opts in)
Clear opt-out mechanism exists
Responses are helpful, not promotional
Includes privacy policy link in DMs

Not allowed if:

You reach out to users who complained publicly (unsolicited)
Responses are primarily promotional

Giveaways & contests

Proceed with caution:

Requiring follows/retweets as entry can be seen as engagement manipulation
Must comply with X’s contest guidelines
Don’t use multiple accounts to amplify
Ensure prizes are real and delivered

Consider entry methods that don’t require engagement actions, like replying with a specific phrase.

Data handling and display requirements

These requirements are legally binding under the Developer Agreement. Non-compliance can result in termination and legal action.

Content deletion

You must delete X Content from your systems when requested:

Trigger	Deadline
X requests deletion	24 hours
User requests deletion	24 hours
Content is suspended/removed on X	24 hours
Your API access is terminated	10 business days (must delete all X data)

Use Compliance Firehose to receive real-time deletion events and stay compliant automatically.

Off-X matching

Off-X matching means associating X data (username, user ID, posts) with off-platform identifiers (your customer database, email lists, device IDs, etc.).

Allowed with express opt-in consent:

User explicitly agrees to link their X account with your service
Clear disclosure of what data will be matched and why

Without consent, you may only match:

Information the user directly provided to you
Publicly available X data (posts, bio, display name, username)
Public resources like professional directories

Never match if it would surprise the user.

Sensitive data

You cannot derive, infer, or store information about X users in these categories:

Category	Examples
Health	Medical conditions, pregnancy, disabilities
Financial status	Negative financial condition, credit issues
Political	Party affiliation, political beliefs, voting
Racial/Ethnic	Origin, ethnicity
Religious/Philosophical	Beliefs, affiliations
Sex life/Sexual orientation	Any inference about sexuality
Trade union	Membership or affiliation
Criminal	Alleged or actual criminal activity

Exception: Aggregate analysis without storing personal identifiers (no user IDs, usernames, or linkable data) may be allowed for research purposes, subject to applicable laws.

Displaying X content

Requirement	Details
Attribution	Use proper X branding. Follow Brand Guidelines.
No alterations	Only modify for display formatting (resizing). Don’t edit content, remove timestamps, or strip metadata.
No iframes	Don’t display X Content in iframes. Use official embeds or render directly.
Respect removals	Remove content within 24 hours if deleted on X.

Technical restrictions

These limits apply to all developers. Exceeding them can result in rate limiting or suspension.

Restriction	Limit
Post ID redistribution	Max 1.5M Post IDs per 30-day period to any single entity
Hydrated content redistribution	Max 50,000 hydrated Posts or Users per recipient per day
Rate limits	Vary by endpoint and tier—see API docs
AI/ML training	Prohibited (except for Grok)
Non-API access	Prohibited—scraping and browser automation = permanent ban
Competitive benchmarking	Prohibited—can’t measure X performance vs. competitors
Multiple apps for same use case	Prohibited—don’t create duplicate apps to bypass limits

Special use cases

Use Case	Requirement
Government use	Requires Enterprise tier
Commercial use	Requires appropriate paid tier; free tier is non-commercial only
Academic research	May have different redistribution limits; contact X for details
EU Digital Services Act research	Specific non-commercial research provisions available

Security and compliance

Your obligations as a developer:

Security requirements

Use industry-standard security practices to protect X data
Never share your API credentials or tokens
Store credentials securely (environment variables, secret managers—not in code)
Implement proper authentication in your apps

Breach notification

If you experience a security breach involving X data:

Notify X immediately
Take steps to mitigate the breach
Cooperate with X’s investigation

Confidentiality

Treat any non-public information from X as confidential
Don’t disclose API rate limits, internal X data, or non-public features
Don’t use confidential info for competitive purposes

Audit rights

X may audit your compliance up to once per year
You must provide reasonable access and documentation
Keep records of how you use X data

Summary: do’s and don’ts

Do
Don't

For Automated Accounts:

Enable “Automated” profile label
Disclose operator in bio
Wait for users to initiate interaction
Provide easy opt-out
Get approval for AI-generated replies

For All Apps:

Use only the official X API
Respect rate limits and redistribution limits
Delete content within 24 hours when requested
Get opt-in consent for off-X matching
Use proper attribution when displaying X Content
Secure your credentials and notify X of breaches
Keep records of your X data usage

Developer Agreement

Developer Policy

Automation Rules

Restricted Use Cases

​Quick check: is my app allowed?

User-initiated?

Transparent?

Easy opt-out?

Real value?

Official API only?

Within limits?

​Common scenarios: allowed or not?

​Prohibited activities

​Automation rules

​Requirements for automated accounts

​Automated actions: what’s allowed?

​Gray areas explained

​Data handling and display requirements

​Content deletion

​Off-X matching

​Sensitive data

​Displaying X content

​Technical restrictions

​Special use cases

​Security and compliance

​Summary: do’s and don’ts

Quick check: is my app allowed?

Common scenarios: allowed or not?

Prohibited activities

Automation rules

Requirements for automated accounts

Automated actions: what’s allowed?

Gray areas explained

Data handling and display requirements

Content deletion

Off-X matching

Sensitive data

Displaying X content

Technical restrictions

Special use cases

Security and compliance

Summary: do’s and don’ts