Developer Agreement
Binding legal terms for API access
Developer Policy
Rules for building on X
Automation Rules
Specific rules for bots
Restricted Use Cases
Prohibited activities
Quick check: is my app allowed?
Before building, ask yourself these questions. If you answer “no” to any of them, your app likely violates X’s policies.User Initiated?
For interactions, did the user explicitly request it?
Transparent?
Is your app’s purpose and behavior clear to users? (Automated accounts must be labeled.)
Easy Opt-Out?
Can users easily opt out of any ongoing interactions?
Real Value?
Does it provide real value beyond self-promotion?
Official API Only?
Are you only using the official API (not scraping/browser automation)?
Within Limits?
Are you within rate limits and respecting usage policies?
Common scenarios: allowed or not?
Real-world examples to help you understand what’s permitted. These rules apply to all apps—whether you’re building a bot, mobile app, web integration, browser extension, analytics dashboard, or any other tool that uses the X API.- Content & Posting
- Replies & Mentions
- Direct Messages
- Engagement
- Promotions & Commerce
- Data & Research
Prohibited activities
Automation rules
This section applies specifically to automated accounts (bots) that post, reply, or interact on behalf of users. If you’re building an analytics dashboard, research tool, or other non-automated app, these labeling requirements don’t apply to you—but the technical restrictions still do.
Requirements for automated accounts
All automated accounts using the X API must meet these requirements:1
Enable the 'Automated' profile label
This label appears under your bot’s name/handle on its profile. Enable it in your app settings to ensure transparency.
2
Disclose in bio
State clearly that it’s a bot and who operates it. Example: “Bot by @yourcompany” or “Automated account managed by Example Inc.”
3
Link to a human-managed account
For accountability and contact purposes, your bot must be associated with a human-managed account.
4
Honor opt-out requests immediately
If a user says “stop,” stop. Implement keyword detection for common opt-out phrases.
5
Use only the official X API
No scraping, browser automation, or unofficial methods. Violations result in permanent suspension.
6
Stay within rate limits
Don’t try to circumvent or abuse rate limits. Design your app to handle limits gracefully.
Automated actions: what’s allowed?
Gray areas explained
Many developers have questions about edge cases. Here’s guidance on common gray areas.Affiliate Links & Promotions
Affiliate Links & Promotions
Allowed if:
- User explicitly requests it (e.g., DMs asking for a recommendation)
- You clearly disclose the affiliate/sponsored relationship
- Links are not misleading (no deceptive redirects)
AI-Generated Content & Replies
AI-Generated Content & Replies
- Requires prior approval from X before deployment
- Must still follow all rules (no unsolicited mentions, properly labeled)
- Contact X via the Policy Support form before launching
- Even with approval, cannot impersonate humans
Welcome Messages to New Followers
Welcome Messages to New Followers
Not allowed as automated DMs—this counts as unsolicited contact, even though they followed you.Alternatives:
- Pinned tweet welcoming new followers
- Bio with intro info and links
- Auto-reply only if they DM you first
Multiple Accounts / Regional Bots
Multiple Accounts / Regional Bots
Allowed if:
- Each account serves non-duplicative purposes (e.g., @EarthquakeJP, @EarthquakeCA)
- Content is meaningfully different (location-specific, language-specific)
- Not used to bypass limits or amplify the same message
Customer Support Automation
Customer Support Automation
Allowed if:
- User initiates (mentions you, DMs you, or explicitly opts in)
- Clear opt-out mechanism exists
- Responses are helpful, not promotional
- Includes privacy policy link in DMs
Giveaways & Contests
Giveaways & Contests
Proceed with caution:
- Requiring follows/retweets as entry can be seen as engagement manipulation
- Must comply with X’s contest guidelines
- Don’t use multiple accounts to amplify
- Ensure prizes are real and delivered
Data handling and display requirements
Content deletion
You must delete X Content from your systems when requested:Off-X matching
Off-X matching means associating X data (username, user ID, posts) with off-platform identifiers (your customer database, email lists, device IDs, etc.).Allowed with express opt-in consent:
- User explicitly agrees to link their X account with your service
- Clear disclosure of what data will be matched and why
Sensitive data
You cannot derive, infer, or store information about X users in these categories:
Exception: Aggregate analysis without storing personal identifiers (no user IDs, usernames, or linkable data) may be allowed for research purposes, subject to applicable laws.
Displaying X content
Technical restrictions
These limits apply to all developers. Exceeding them can result in rate limiting or suspension.
Special use cases
Security and compliance
Your obligations as a developer:Security Requirements
Security Requirements
- Use industry-standard security practices to protect X data
- Never share your API credentials or tokens
- Store credentials securely (environment variables, secret managers—not in code)
- Implement proper authentication in your apps
Breach Notification
Breach Notification
If you experience a security breach involving X data:
- Notify X immediately
- Take steps to mitigate the breach
- Cooperate with X’s investigation
Confidentiality
Confidentiality
- Treat any non-public information from X as confidential
- Don’t disclose API rate limits, internal X data, or non-public features
- Don’t use confidential info for competitive purposes
Audit Rights
Audit Rights
- X may audit your compliance up to once per year
- You must provide reasonable access and documentation
- Keep records of how you use X data
Summary: do’s and don’ts
- Do
- Don't
For Automated Accounts:
- Enable “Automated” profile label
- Disclose operator in bio
- Wait for users to initiate interaction
- Provide easy opt-out
- Get approval for AI-generated replies
- Use only the official X API
- Respect rate limits and redistribution limits
- Delete content within 24 hours when requested
- Get opt-in consent for off-X matching
- Use proper attribution when displaying X Content
- Secure your credentials and notify X of breaches
- Keep records of your X data usage