Twitter API 1.1 collections show 403/220 - api

I can't access this particular Twitter API endpoint:
https://api.twitter.com/1.1/collections/show.json?id=576828964162965504
(with any ID I tried). The request returns an error with the message "Your credentials do not allow access to this resource" and code "220".
The App-only authentication Bearer Token I'm using for the request is exactly the same as for my requests to /search/tweets.json, /statuses/user_timeline/show.json, /statuses/show.json and /users/show.json, all of which work just fine. Also the collection is public, so App-only authentication should suffice, I'm thinking.
I'm somehow sure that I'm missing something here, but can't find it anywhere in the official API docs, nor on StackOverflow, nor on Google.

According to the Twitter API documentation, collections/show requires a user context - so app-only authentication will not work in this case.
Additionally, collection IDs are usually in the form "custom-756140390927872000" or similar. You can get the list of collection IDs from a user by hitting the collections/list?screen_name=handle query.

Related

Twitter GET users/search client_credentials: Your credentials do not allow access to this resource

I have a static list of music artists and i want to get the id or screen_name of each one of them in Twitter.
I found this api endpoint: users/search which allows to run a query on Twitter and get all the accounts that match with the query. For example:
https://api.twitter.com/1.1/users/search.json?q=muse
will return all the accounts that match the query "muse".
I need to call this endpoint in client_credentials flow, i don't need any permission by the user (which is only me in any case). The problem is that Twitter returns the following response when i try to access the endpoint in client_credentials flow:
"message": "Your credentials do not allow access to this resource", "code": 220
I have tested other API endpoints such users/show, statuses/retweets, statuses/user_timeline and they all works in client_credentials, just the one i need doesn't work.
Is there anything i can do about that? Or i must change the OAUth flow?
mentioned error,
"{"errors":[{"message":"Your credentials do not allow access to this resource","code":220}]}"
comes when requesting an end point which requires a user context (such as statuses/home_timeline) using application only token.
You can verify whether or not same error comes for end points like statuses/home_timeline or statuses/retweets_of_me. These end points work only in some twitter user context. The end point that you want, users/search, also requires user context.
I am suspecting some issue in obtaining oauth token and secret. How are you getting authorized tokens for a given twitter user account?

Foursquare API exposing secret in javascript

I want to integrate the foursquare API in my website but I'm not that familiar with API security so I want to make sure I'm doing it right.
I want to search for venues in an area like the documentation states:
https://api.foursquare.com/v2/venues/search
?client_id=CLIENT_ID
&client_secret=CLIENT_SECRET
&v=20130815
&ll=40.7,-74
&query=sushi
Using javascript however, I don't feel comfortable that the client secret is exposed in my code like this, because if someone looks at my source they have the client_id and client_secret which makes it possible to authenticate themselves with my code:
https://developer.foursquare.com/overview/auth
Isn't that the same as, "hey look at my source code, my username = "someusername" and my password is "somepassword"?
Shouldn't the "client_secret" remain secret like it says? Or am I looking at it the wrong way?
I think the issue is that you're trying to access the Foursquare API using Javascript, which is executed on the client side, so yes, anybody using your website can, with a little bit of investigation, see the secret key that you're using, which is something that you definitely don't want to do.
The way to get around that is not to access the API using code that is executed on the client side. Whatever language you have building the website on the server side should be the code that accesses the API (using the auth credentials that you have set up) and then returns the results of the API call to the rest of the code.
Alternately, you can get users to authenticate with Foursquare and get an access token, which you can then use in user-specific API calls, and it won't matter if those are executed on the client side. I think this is the relevant page in the documentation for using that method: https://developer.foursquare.com/overview/auth#access

How to make twitter api calls using access token

I have managed to get an access token from the twitter api. Now I want to use that token for my further data fetching things, so please help me here to get the details of my twitter account.
For example, lets say I wanted to get the user's data, so when I tested this in apigee console, I got my result.
But how to get the same result, using same api, by hitting on a browser using the access token
something like this
Please help
It's a little more complex than the URL you suggested, but you can use Twitter's OAuth tool to generate the OAuth signature you need to make requests to its Home Timeline API call.
You can find the OAuth tool here:
https://dev.twitter.com/docs/api/1.1/get/statuses/home_timeline#oauth-tool
it's not like that when making twitter api calls you need to send consumer key, consumer secret, your_access_token and your_access_token_secret together
Eg: oauth_consumer_key="KEY",oauth_signature_method="HMAC-SHA1",oauth_timestamp="TIMESTAMP",oauth_nonce="NONCE",oauth_version="1.0",oauth_token="YOUR_TOKEN",oauth_signature="SIGN"
Source: https://twittercommunity.com/t/getting-the-user-details-using-access-token/6325/3

Which data do I have to store in DB once I get Token data in Linkedin API?

I assume workflow for OAuth is very similar in various sites. (twitter, linkedin)
I can successfully get requestToken, accessToken.
Is it okay, if I just store Accesstoken and use it later???
Yes, this is the generally accepted practice. I use this workflow on a few sites and based on the posts on the LinkedIn Developer's site, it looks like the method that most people are using.
The only trick is to cover yourself in the case that the user rejects your application's access rights; filter all responses from the LinkedIn API looking for an error indicating that the access token is no longer valid (you should be doing this filtering anyways for throttling issues).

Authorizing for Google ToDo List (AuthToken, secid)

I'm trying to get access to the Google's todo feed with this url:
https://www.google.com/calendar/tdl?secid=<SECID>&tdl={%22action_list%22%3A[{%22action_type%22%3A%22get_all%22%2C%22action_id%22%3A%221%22%2C%22list_id%22%3A%2215052708471047222911%3A0%3A0%22%2C%22get_deleted%22%3Afalse}]%2C%22client_version%22%3A-1}
If I open this in my browser with a correct secid, it shows me right what I want.
Now, the question is: how do I get secid programmatically (specifically, in a java program)? I have access to the authToken (from CalendarService), but I have no clue how to use it to authorize my access to the URL above.
I tried to use the url http://google.com/accounts/ServiceLogin, but I didn't find any examples.
Any help, please?
From what I read secid is a session ID obtained from browser's cookies. Whereas your case uses Java which implies a server app. If that is the case, you want to drop the idea of using secid entirely.
Instead, you want to check out Google's OAuth2 documentation. If you are using Java, most likely you would be interested in the web-server OAuth flow. Pay special attention to the sequence diagrams.
The key steps include:
1) Obtain an authorization code from Google OAuth with the user's consent. For that, you redirect the user to Google with the appropriate scope. Check the list of calendar scopes for your case. Once the user consents, Google redirects back to you with an authorization code.
2) Call Google OAuth with the authorization code and your app's credentials to exchange for an access token.
3) Call Google's Calendar API using the access token.
And if you use Google's Java client as suggested by #ChaosPredictor, chances are some of the steps are already wrapped into the Java client (and your code will be much simpler).