How to Get an X (Twitter) API Key in 2026
Key Takeaway: Go to console.x.com, sign in with your X account, accept the Developer Agreement, create an App, and copy your credentials. Approval is instant -- no manual review, no waiting period. The entire process takes under five minutes. Be aware: there is no free tier. X API runs on a pay-per-use model as of 2026, so you will need to purchase credits before making calls.
Last updated: April 7, 2026
If you have searched "how to get a Twitter API key" recently, you have probably run into guides that reference the old $200/month Basic plan, a free developer tier, or a multi-day approval process. None of that exists anymore. X overhauled its API access model in early 2026, replacing subscription tiers with pay-per-use pricing and removing the approval queue entirely.
This guide covers the current process from start to finish. It also addresses a question most guides skip entirely: do you actually need the official X API?
If your use case is purely read-only -- pulling tweets, searching keywords, analyzing profiles, tracking followers -- you do not need to deal with OAuth tokens, credit management, or X's per-resource billing at all. Third-party providers like Sorsa API offer read-only access to the same public data through a single API key header, with flat-rate pricing that is significantly cheaper at scale. This guide covers both paths so you can pick the one that fits.
Table of Contents
- Do You Actually Need the Official X API?
- How to Get an Official X API Key (Step-by-Step)
- Understanding X API Pricing Before You Start
- The Simpler Path: Getting a Read-Only API Key for Twitter Data
- How to Keep Your API Keys Secure
- FAQ
- Getting Started
Do You Actually Need the Official X API?
Before walking through the setup, it is worth asking what you actually need to do. The answer determines which path saves you time and money.
| What you need to do | Recommended path |
|---|---|
| Read tweets, profiles, search results, follower lists, mentions | Third-party read-only API (simpler setup, cheaper for read workloads) |
| Post tweets, send DMs, like, follow, delete content | Official X API (the only option for write actions) |
| Access the Ads API, compliance endpoints, or real-time filtered streams | Official X API |
| Read data at scale + occasional posting | Hybrid setup (third-party for reads, official for writes) |
The official X API is the only way to write to the platform. If you need to post tweets, send direct messages, follow accounts, or manage lists programmatically, there is no alternative. You need an X developer account.
But if you are building a social listening dashboard, collecting data for research, monitoring brand mentions, or pulling follower lists -- all read operations -- the official API adds complexity and cost you can avoid. The official X API pricing charges per resource fetched (each tweet, each user profile is a separate billable unit), while third-party providers typically charge per request regardless of how many items come back.
Both paths are covered below. Start with whichever matches your use case.
How to Get an Official X API Key (Step-by-Step)
This section covers the current process as of April 2026. If you have seen guides mentioning developer.twitter.com or apps.twitter.com, those URLs are outdated. Everything now happens through the Developer Console.
Step 1: Create a Developer Account
Go to console.x.com and sign in with your regular X account. You do not need a separate developer account -- your existing X login works.
You will be asked to accept the Developer Agreement and Policy, then fill in a short profile describing how you plan to use the API. This description is not manually reviewed. Write something honest and specific (e.g., "Building a Python script to track mentions of my brand"), but do not overthink it. Approval is automatic and instant for standard use cases.
No waiting period. No "we will review your application in 1-2 business days." You accept the terms, fill in the profile, and you are in.
The only edge case: if your X account has been flagged for spam or bot activity, onboarding might be blocked. Use a normal account with some history and you will be fine.
Step 2: Create an App
From the Developer Console dashboard, click New App. Provide a name, description, and use case for your application. The name must be unique across all X developer apps.
Once created, the console generates your API credentials immediately.
Step 3: Save Your Credentials
This is the step most people rush through and regret. X generates multiple credentials, and each one serves a different purpose:
| Credential | What it does | When you need it |
|---|---|---|
| API Key (Consumer Key) | Identifies your application to X | Always -- this is the base credential |
| API Key Secret (Consumer Secret) | Signs OAuth 1.0a requests alongside the API Key | OAuth 1.0a authentication flows |
| Bearer Token | Standalone token for app-only read access to public data | Read-only access (simplest auth method) |
| Access Token + Secret | Lets you make requests as your own X account | Posting, liking, following as yourself |
| Client ID + Secret | OAuth 2.0 credentials for user-context requests | Acting on behalf of other users in your app |
Save everything immediately. These credentials are displayed once. If you lose them, you will need to regenerate them, which invalidates the previous set. Store them in a password manager, a .env file, or a secrets vault -- not in a sticky note or a Slack message.
For most people reading this guide, the Bearer Token is the credential that matters most. It handles read-only access to public data with zero OAuth complexity -- just drop it into an Authorization header and go.
Step 4: Configure App Permissions
Navigate to your app settings in the Developer Console and find User Authentication Settings.
Three permission levels are available:
- Read -- can only read public data
- Read and Write -- can read data and post tweets, like, follow
- Read, Write, and Direct Messages -- full access including DMs
If you only need to read data using a Bearer Token, you can skip this step entirely. Permission configuration only matters for OAuth-based user-context actions.
One critical detail that trips people up: if you change permissions after generating your Access Token and Secret, you must regenerate those tokens. The old tokens retain the old permission scope. This is the single most common cause of 403 Forbidden errors when developers try to post after upgrading from read-only permissions.
Step 5: Make Your First API Call
Test your Bearer Token with a simple user lookup:
curl "https://api.x.com/2/users/by/username/elonmusk" \
-H "Authorization: Bearer $BEARER_TOKEN"
If you get a JSON response with user data, your credentials are working. If you get a 401 Unauthorized, double-check that you copied the Bearer Token correctly (no extra spaces, no missing characters).
For a deeper dive into authentication methods, see the official X API docs.
Understanding X API Pricing Before You Start
Most "how to get an API key" guides stop at the credentials. That leaves you with a working key and no idea what it will cost to use. In 2026, this matters more than ever.
X switched to pay-per-use pricing in early 2026. There are no subscription plans for new users. You buy credits through the Developer Console, and those credits are deducted per resource fetched:
| Resource | Cost per unit |
|---|---|
| Post read | $0.005 |
| User profile read | $0.010 |
| Content create (posting a tweet) | $0.010 |
| DM interaction create | $0.015 |
| User interaction create (like, follow) | $0.015 |
The key word is per resource, not per request. If a search query returns 20 tweets, that is 20 x $0.005 = $0.10 -- not $0.005. If you also need the author profile for each tweet, add 20 x $0.010 = $0.20. A single search call with user expansion costs $0.30.
There is also a hard cap of 2 million post reads per month on pay-per-use accounts. Beyond that, you need an Enterprise deal. For a full breakdown with real-world cost scenarios, see our complete X API pricing guide.
For comparison: flat-rate providers like Sorsa API charge per request, not per resource. One search call returning 20 tweets with full author profiles costs $0.00199 on the Pro plan. That is roughly 150x cheaper for the same data. The tradeoff is clear: flat-rate wins on read-heavy workloads, while the official API is the only option for writes.
The Simpler Path: Getting a Read-Only API Key for Twitter Data
If your project only needs to read public Twitter/X data -- searching tweets, pulling profiles, tracking mentions, analyzing followers -- you can skip the official X API entirely and get a working API key in under five minutes.
Sorsa API is a managed REST API that provides read-only access to public X data through 38 endpoints covering user profiles, tweets, search, follower graphs, communities, and lists. No OAuth, no Bearer Tokens, no credit management. Just one API key in a header.
Here is the setup:
1. Go to the Sorsa Dashboard and register with Google or any available auth provider. No X account needed.
2. Choose a plan (Starter at $49/mo for 10K requests, Pro at $199/mo for 100K, or Enterprise at $899/mo for 500K) and complete payment.
3. Copy your API key from the dashboard. That is it. You are ready to make calls.
Test it with a profile lookup:
curl --request GET \
--url 'https://api.sorsa.io/v3/info?username=elonmusk' \
--header 'ApiKey: YOUR_API_KEY'
Or in Python:
import requests
response = requests.get(
"https://api.sorsa.io/v3/info",
params={"username": "elonmusk"},
headers={"ApiKey": "YOUR_API_KEY"}
)
data = response.json()
print(data["display_name"]) # Elon Musk
print(data["followers_count"]) # 236021252
If you want to experiment before committing, the API Playground lets you test endpoints in the browser with no setup at all.
Official X API vs. Sorsa API: Setup Comparison
| Official X API | Sorsa API | |
|---|---|---|
| Account required | X (Twitter) account | Any email or Google account |
| Setup steps | 5 (developer account, app creation, permissions, credential management, test) | 3 (register, pay, copy key) |
| Auth method | OAuth 2.0 / Bearer Token / OAuth 1.0a (depends on use case) | Single ApiKey header |
| Time to first request | 2-10 minutes | Under 5 minutes |
| Write access (post, like, DM) | Yes | No (read-only) |
| Pricing model | Per resource fetched ($0.005-$0.015 per item) | Per request, flat ($0.0018-$0.0049 per call) |
| Free tier | No | No (but free tools available at sorsa.io/playground) |
For a full feature comparison of the official X API and third-party alternatives, see our X API alternatives guide.
How to Keep Your API Keys Secure
These practices apply whether you are using the official X API, Sorsa API, or any other service.
Use environment variables. Never hardcode keys in your source code. Store them in a .env file and load them at runtime:
X_BEARER_TOKEN=your_bearer_token_here
SORSA_API_KEY=your_sorsa_key_here
Add .env to your .gitignore. Credentials committed to a public repository get scraped by bots within minutes. This is not hypothetical -- I have seen it happen to clients during migration projects, and the cleanup is painful.
Rotate keys periodically. Both the X Developer Console and the Sorsa Dashboard let you regenerate keys. Do it every few months, or immediately if a key might have been exposed.
Use the minimum permissions your app needs. On the official X API, do not enable Read+Write+DM if you only need Read. On Sorsa API, scope is not a concern since the entire API is read-only by design, but limiting who has access to the key within your team still matters.
FAQ
Is the Twitter API free in 2026?
No. X eliminated its free tier and moved to pay-per-use pricing in early 2026. You must purchase credits before making any API call. There is no free credit allowance for new accounts. If you need zero-cost access to Twitter/X data, your options are third-party free tools (like the Sorsa API Playground), manual collection through the X web interface, or open-source scrapers -- each with their own limitations.
What is the difference between an API Key and a Bearer Token?
The API Key (also called Consumer Key) identifies your application. On its own, it cannot authenticate requests -- it needs to be paired with the API Key Secret in an OAuth signing process. The Bearer Token is a self-contained credential for app-only authentication. For read-only access to public data, the Bearer Token is all you need: put it in an Authorization: Bearer <token> header and you are done. OAuth 1.0a (using API Key + Secret + Access Token + Access Token Secret) is required only when you need to act on behalf of a user account -- posting, liking, following, or accessing DMs.
How long does it take to get approved for the X API?
Approval is instant. As of 2026, there is no manual review process for standard X API access. You sign in at console.x.com, accept the Developer Agreement, create an App, and receive your credentials in under two minutes. The old multi-day review queue that existed in 2022-2024 is gone. The only exception is the Ads API, which still requires separate approval and can take weeks.
Can I use the Twitter API without an X account?
For the official X API, no. You need an X account to access the Developer Console and create an App. For third-party providers like Sorsa API, no X account is required. You register with any email or Google account, get an API key, and start querying public Twitter/X data immediately.
What can I do with a Twitter API key?
With the official X API: read tweets, search posts, look up user profiles, pull follower and following lists, post tweets, send direct messages, like and retweet content, manage lists, and more. With a read-only third-party key: everything on the read side -- profiles, tweets, search, mentions, followers, communities, lists -- but no write operations. See the Sorsa API use cases guide for concrete implementation patterns.
Why was my X API application rejected?
Outright rejection is rare in 2026 since the approval process is automated. If you are unable to complete onboarding, the most common causes are: your X account has been flagged for spam or bot activity, your account is too new or has no activity history, or you are accessing from a region with restricted access. Use an established X account with normal activity and try again.
What happened to the free, Basic, and Pro plans?
Gone for new users. X retired the $100/month Basic and $5,000/month Pro subscription tiers when it launched pay-per-use pricing in early 2026. Existing subscribers on legacy plans can keep them, but new signups can only access the pay-per-use model. For a detailed timeline of every pricing change since 2023, see our X API pricing breakdown.
Getting Started
Two paths, depending on what you need:
Need read-only access to Twitter/X data? Start with Sorsa API. Three steps: register, pick a plan, copy your API key. 38 endpoints, flat per-request pricing, no OAuth configuration. Test endpoints for free in the API Playground before committing, or browse the full documentation.
Need to post, like, follow, or send DMs? Go to console.x.com, create your developer App, and grab your Bearer Token and OAuth credentials. Budget for pay-per-use costs: $0.005-$0.015 per resource depending on endpoint.
Building a read-heavy application that also needs occasional write access? Use both. Many teams run their read workloads through a third-party provider and keep a minimal official X API setup for posting and interactions. It is the most cost-effective architecture for mixed read/write pipelines.
Daniel Kolbassen is a data engineer and API infrastructure consultant with 12+ years of experience building data pipelines around social media platforms. He has worked with the Twitter/X API since the v1.1 era and has helped over 40 companies restructure their data infrastructure after the 2023 pricing overhaul. Follow him on Twitter/X or connect on LinkedIn.