I was recently integrating “Login with X” (Twitter OAuth 2.0) for a project, and everything seemed smooth — got the access token without issues. But when I tried calling https://api.twitter.com/2/users/me, I hit a 403 Forbidden response.
No clear errors. No useful clues.
After tons of debugging, the fix was surprising: Twitter (X) requires the tweet.read scope even if you’re just trying to access user data. You’d expect users.read to be enough for /users/me, but nope. That weird requirement isn’t clearly documented anywhere, which made things extra confusing.
So if you’re stuck Make sure your scope includes: tweet.read users.read [and others if needed]
Since Elon took over, the API’s clarity and documentation have gone way downhill. It’s harder to find accurate info, and the scope system feels unnecessarily messy.
Anyway, hope this saves someone the hours I burned on it.