Should I ask my Twitter plugin users to create their own Twitter App and API Keys to use my plugin?

I have seen many plugins do it this way. But it definitely seems like a very tedious step to follow for the user in order to use the plugin…

Is it the right method?

Yes.

Should I somehow, store my Consumer API key & secret details on my server? And any of my distributed plugins should automatically fetch it from my server? Further, are the Consumer API key & secret associated with my Twitter app, meant to be distributed with my Twitter plugins?

NO to all of these. And if I could use larger letters than all caps, I would.

There are a number of reasons for this.

First, as the developer of a plugin that will use the Twitter API, you personally are not the API user. That would be the user of your plugin. Allowing your plugin users to use your API credentials would be a violation of Twitter’s policies.

Additionally, this is just a bad practice. You have no control over the end user of the plugin and how they ultimately use the service. You’d be putting yourself in a situation where, if Twitter decided some end user of yours was in violation of the terms of use, they could yank the credentials.

You might think this is not possible, or that it’s low risk because you’re just reading, but what if someone decides to modify the plugin itself and is able to hack things in a way that puts your use of the API in violation of Twitter’s terms?

In other words, a single end user of your plugin could jeopardize the API use by both you and all of your other plugin users. There is the potential that you wake up one morning, open your email, and find you are flooded with support tickets asking why the service is shut down.

Read the developer policies carefully and understand that what you are providing is a product that uses the Twitter API. You’re not providing a connection to the API.

Beyond all of that, it also depends on how your plugin will be distributed. If you’re planning on wordpress.org repo distribution, storing the API key on your server for your plugin to retrieve could be viewed as be a violation of the repo’s policies on “phoning home.” It’s a gray area, so it depends on the opinion of who is doing the review at the time, but why not just do it right to begin with and avoid a potential hassle?


Related Posts:

  1. Google credentials and redirect URI for Google OAuth2 in a WordPress plugin, questions
  2. How do WordPress plugins work with oAuth2 APIs?
  3. Difference Between Filter and Action Hooks?
  4. How can you check if you are in a particular page in the WP Admin section? For example how can I check if I am in the Users > Your Profile page?
  5. How to create an API for my plugin?
  6. How to store username and password to API in wordpress option DB?
  7. Is there a limit on making calls to WordPress.org API’s?
  8. Using filters and actions for plugin API?
  9. WordPress and multithreading
  10. permalinks with get variables
  11. Build dynamic page from cURL (HTML page) response with plugin
  12. How to override a function call in functions.php?
  13. wp_enqueue_style built in styles
  14. Does WordPress’s HTTP API use any caching?
  15. Example Dashboard Widget, Cancel not working
  16. Amending REST API function without deactivate/activate plugin every time changes is made
  17. Why does wp_remote_post returns an empty body response on certain endpoints?
  18. Adding custom end points, No error line
  19. Sending post request with wp_remote_post not working correctly
  20. woocommerce_checkout_order_processed hook executing function twice
  21. Authorizing a plugin to call Google Analytics v4 API on wp_cron
  22. What to hook into to check a value before a post is published?
  23. Encoding Method for URLs?
  24. Plugin index page code executes multiple times
  25. Pass CF7 form data to plugin
  26. Best way to ping for the API changes in the wordpress?
  27. Plugin architecture to pull from API & create dynamic content on WP site?
  28. Lead form that submits to 2 external APIs
  29. Widget internal hooks and functions
  30. Modify code for functions.php with specific twitter user url and hashtags
  31. Allow REST API Endpoint to specific user and hide from public
  32. Custom Endpoint – Does it possible to use PUT method with WP API Rest?
  33. Get API auth_token token to renew weekly
  34. How to query a nested field in wordpress api using _fields param
  35. call funcution when clicking submit
  36. Adding Amchart Interface to WordPress API
  37. How do I make secure API calls from my WordPress plugin?
  38. Generate Static Page to Show Search Results/Detail for API
  39. Using AJAX to submit and return data inside the WordPress Plugin Boiler Plate framework
  40. Hiding WordPress REST endpoints from public viewing using Basic Authentication
  41. add pagination to wp_remote_get
  42. Multisite and the JSON REST API: How to?
  43. API WordPress is Limited? Return False
  44. Tie specific functions to options-update for limiting API requests
  45. Do you see any problems (mainly security-related) with how I’ve used wp_ajax_* actions?
  46. Is there a way to tell if a shorcode’s handler is being run before or after the content formatting filter?
  47. Can a plugin differentiate syndication feeds from actual site views?
  48. Detect each active instance of a widget
  49. Developing a plugin, ran it through P3 Profiler, shows up slow, but I don’t know why
  50. add_rewrite_rule not working
  51. How do I query posts and have their related taxonomies returned in the results?
  52. modify buddpress adminbar only in admin pages
  53. Email verification feature in wordpress social login plugin
  54. How to update WordPress Plugins in your own maintance application?
  55. Adding custom avatar field to comments
  56. Programmatically creating posts based on external JSON feed (asynchronously)
  57. External api call using wordpress
  58. Where to store PHP files created by plugin / themes
  59. WordPress 4.5 deprecated get_currentuserinfo()
  60. Admin config screen without menu
  61. What is the added “complexity” of custom tables?
  62. Why does preg_replace_callback never fire in this function?
  63. Call to undefined function get_blog_option()
  64. Unable to get content from $post on first publish
  65. Best Practices for Creating and Handling Forms with Plugins?
  66. Gutenberg: useDispatch is not a function – @wordpress/data included
  67. How to get orders with used coupon in WooCommerce
  68. Why not to include reference to /wp-admin/admin.php in Plugin
  69. How can I add an options page for my class based plugin?
  70. Sending WP posts to external API
  71. Comments do not respect display_name setting, how to make plugin to overcome this
  72. How to Debug: My Plugin Interferes With My Theme
  73. How to stop activation addon if the main plugin is not activated
  74. How would you compose a complex plugin with lots of routes and functions? [closed]
  75. What plugin development paradigm differences have occurred between version 3.5 and now?
  76. How do I change the image from the default mysteryman in the WP Profile page
  77. Error: Call to a member function get_error_code() on a non-object
  78. WordPress: How to rename the main php plugin base file?
  79. Filter for admin (back end) ‘reply to’ comment
  80. How to get custom post_author?
  81. Is there any way to hide page from dashboard (all pages list) OR navbar from plugin function?
  82. WordPress database error: [Query was empty] – using $wpdb->prepare()
  83. Showing results from json-string in WordPress search results page
  84. How to revive (or take over) a plugin?
  85. Make visible page only in the trash
  86. Reading plugin settings in esnext wordpress block
  87. Plugin frontend page design irrespective of the theme used
  88. add_meta_box does not display meta box in Admin
  89. How to store in the database directly the translation?
  90. What is the “best” way to update a theme via a plugin?
  91. Is there a an option to modify the post content directly on the browser instead of having it reflected on browser by modifying in the database?
  92. Custom theme and plugin updating
  93. Error on using __FILE__ for add_menu_page() Function
  94. Getting error of unexpected output during activation
  95. Projectmanager Internal Link Code Location
  96. How to add something after a function
  97. how many rupee or dollar charge to client to make theme [closed]
  98. React Plugin Settings Page Localization
  99. Is it within WordPress guidelines to update another plugin’s database fields from my own plugin? [closed]
  100. Block Development: hamburger module throwing error in save function