Skip to main content
Violations can result in app suspension, API access revocation, or permanent account bans. Always review the official policies before building.

Developer Agreement

Binding legal terms for API access

Developer Policy

Rules for building on X

Automation Rules

Specific rules for bots

Restricted Use Cases

Prohibited activities

Quick check: is my app allowed?

Before building, ask yourself these questions. If you answer “no” to any of them, your app likely violates X’s policies.

User Initiated?

For interactions, did the user explicitly request it?

Transparent?

Is your app’s purpose and behavior clear to users? (Automated accounts must be labeled.)

Easy Opt-Out?

Can users easily opt out of any ongoing interactions?

Real Value?

Does it provide real value beyond self-promotion?

Official API Only?

Are you only using the official API (not scraping/browser automation)?

Within Limits?

Are you within rate limits and respecting usage policies?
When in doubt, ask: “Would a user be happy with this experience?” If not, reconsider your approach.

Common scenarios: allowed or not?

Real-world examples to help you understand what’s permitted. These rules apply to all apps—whether you’re building a bot, mobile app, web integration, browser extension, analytics dashboard, or any other tool that uses the X API.

Prohibited activities

These activities will get your app suspended or permanently banned. There are no exceptions.

Automation rules

This section applies specifically to automated accounts (bots) that post, reply, or interact on behalf of users. If you’re building an analytics dashboard, research tool, or other non-automated app, these labeling requirements don’t apply to you—but the technical restrictions still do.

Requirements for automated accounts

All automated accounts using the X API must meet these requirements:
1

Enable the 'Automated' profile label

This label appears under your bot’s name/handle on its profile. Enable it in your app settings to ensure transparency.
2

Disclose in bio

State clearly that it’s a bot and who operates it. Example: “Bot by @yourcompany” or “Automated account managed by Example Inc.”
3

Link to a human-managed account

For accountability and contact purposes, your bot must be associated with a human-managed account.
4

Honor opt-out requests immediately

If a user says “stop,” stop. Implement keyword detection for common opt-out phrases.
5

Use only the official X API

No scraping, browser automation, or unofficial methods. Violations result in permanent suspension.
6

Stay within rate limits

Don’t try to circumvent or abuse rate limits. Design your app to handle limits gracefully.

Automated actions: what’s allowed?


Gray areas explained

Many developers have questions about edge cases. Here’s guidance on common gray areas.
  • Requires prior approval from X before deployment
  • Must still follow all rules (no unsolicited mentions, properly labeled)
  • Contact X via the Policy Support form before launching
  • Even with approval, cannot impersonate humans
Deploying AI-generated replies without approval is a violation, even if the content itself is helpful.
Not allowed as automated DMs—this counts as unsolicited contact, even though they followed you.Alternatives:
  • Pinned tweet welcoming new followers
  • Bio with intro info and links
  • Auto-reply only if they DM you first
Allowed if:
  • Each account serves non-duplicative purposes (e.g., @EarthquakeJP, @EarthquakeCA)
  • Content is meaningfully different (location-specific, language-specific)
  • Not used to bypass limits or amplify the same message
Not allowed if:
  • Posting identical/similar content across accounts
  • Created to evade suspensions or rate limits
Allowed if:
  • User initiates (mentions you, DMs you, or explicitly opts in)
  • Clear opt-out mechanism exists
  • Responses are helpful, not promotional
  • Includes privacy policy link in DMs
Not allowed if:
  • You reach out to users who complained publicly (unsolicited)
  • Responses are primarily promotional
Proceed with caution:
  • Requiring follows/retweets as entry can be seen as engagement manipulation
  • Must comply with X’s contest guidelines
  • Don’t use multiple accounts to amplify
  • Ensure prizes are real and delivered
Consider entry methods that don’t require engagement actions, like replying with a specific phrase.

Data handling and display requirements

These requirements are legally binding under the Developer Agreement. Non-compliance can result in termination and legal action.

Content deletion

You must delete X Content from your systems when requested:
Use Compliance Firehose to receive real-time deletion events and stay compliant automatically.

Off-X matching

Off-X matching means associating X data (username, user ID, posts) with off-platform identifiers (your customer database, email lists, device IDs, etc.).
Allowed with express opt-in consent:
  • User explicitly agrees to link their X account with your service
  • Clear disclosure of what data will be matched and why
Without consent, you may only match:
  • Information the user directly provided to you
  • Publicly available X data (posts, bio, display name, username)
  • Public resources like professional directories
Never match if it would surprise the user.

Sensitive data

You cannot derive, infer, or store information about X users in these categories:
Exception: Aggregate analysis without storing personal identifiers (no user IDs, usernames, or linkable data) may be allowed for research purposes, subject to applicable laws.

Displaying X content


Technical restrictions

These limits apply to all developers. Exceeding them can result in rate limiting or suspension.

Special use cases


Security and compliance

Your obligations as a developer:
  • Use industry-standard security practices to protect X data
  • Never share your API credentials or tokens
  • Store credentials securely (environment variables, secret managers—not in code)
  • Implement proper authentication in your apps
If you experience a security breach involving X data:
  • Notify X immediately
  • Take steps to mitigate the breach
  • Cooperate with X’s investigation
  • Treat any non-public information from X as confidential
  • Don’t disclose API rate limits, internal X data, or non-public features
  • Don’t use confidential info for competitive purposes
  • X may audit your compliance up to once per year
  • You must provide reasonable access and documentation
  • Keep records of how you use X data

Summary: do’s and don’ts

For Automated Accounts:
  • Enable “Automated” profile label
  • Disclose operator in bio
  • Wait for users to initiate interaction
  • Provide easy opt-out
  • Get approval for AI-generated replies
For All Apps:
  • Use only the official X API
  • Respect rate limits and redistribution limits
  • Delete content within 24 hours when requested
  • Get opt-in consent for off-X matching
  • Use proper attribution when displaying X Content
  • Secure your credentials and notify X of breaches
  • Keep records of your X data usage