Verified safe β€” OAuth 2.0 PKCE

Is Rotating Posts safe?

Yes. Here's exactly why.

We use the same authorization standard as Notion, Slack, and every major enterprise app. No passwords. No guesswork. No risk of bans.

πŸ”

OAuth 2.0 with PKCE β€” what that actually means

(Proof Key for Code Exchange β€” the industry gold standard)

When you click "Connect X", here's the exact sequence that happens β€” nothing more, nothing less:

01

You're redirected to Twitter's own login page

We don't show you a form. We don't handle credentials. Twitter shows you their page at twitter.com β€” your browser talks directly to them.

02

Twitter asks: "Allow Rotating Posts to post for you?"

You see exactly what permissions we're requesting (post tweets). You approve or deny β€” directly on Twitter's UI.

03

Twitter sends us a short-lived authorization code

This code is single-use, expires in minutes, and is cryptographically bound to a challenge we generated β€” that's the PKCE part. Even if intercepted, it's useless.

04

We exchange the code for an access token

We never see your password. Twitter gives us a scoped access token β€” a key that can only do what you approved (posting). It's stored encrypted.

05

We post on your behalf using that token

Every tweet we send goes through the official X API v2. It looks exactly like a tweet you sent yourself.

Exactly what we can β€” and can't β€” do with your account.

What we CAN do
  • βœ“Post tweets from your account
  • βœ“Post threads you've saved in your library
  • βœ“Read your public tweet history (to import)
What we CANNOT do
  • βœ—See or store your password
  • βœ—Read your DMs
  • βœ—Follow or unfollow accounts
  • βœ—Like, retweet, or reply on your behalf
  • βœ—Access your email or phone number
  • βœ—Delete your tweets

Our OAuth scope is limited to tweet.write and tweet.read. Nothing else is technically possible with our token.

Why your account won't get banned.

Bans happen when tools fake engagement, spam, or bypass the API. We do none of that.

πŸ›

Official API only

We use X API v2 exclusively. No browser automation, no screen-scraping, no grey-area tricks. Every request is logged and rate-limited by Twitter's own infrastructure.

⏳

Human-paced posting

Posts go out on a spaced schedule β€” never in bursts. The posting pattern is indistinguishable from a person tweeting throughout the day.

πŸ“

Only your own content

We repost content you wrote. No mass-following, no mass-liking, no interaction farming. X's spam detection triggers on behavior patterns we never exhibit.

Revoke access in one click β€” from anywhere.

You can disconnect Rotating Posts at any time from two places: the Rotating Posts dashboard (Settings β†’ Disconnect X), or directly from X Settings β†’ Security β†’ Connected apps. The moment you revoke, our token stops working permanently. We can't post, read, or touch your account in any way after revocation.

X Settings β†’ Connected apps
R
Rotating Posts
tweet.write Β· tweet.read
Revoke

What we store β€” and what we don't.

βœ“
Your tweet content (the posts you add to your rotation library) β€” We need this to repost them on schedule.
βœ“
Your encrypted X access token β€” Required to post via the API on your behalf. Encrypted at rest.
βœ“
Posting logs (what was sent, when) β€” Shown in your activity feed for transparency.
βœ—
Your X password β€” We never receive it. OAuth handles auth entirely on Twitter's side.
βœ—
Your DMs, likes, or follower list β€” Outside our OAuth scope. Technically impossible with our token.
βœ—
Your email (from X) β€” We don't request the email scope. You sign up with your own email, not your X email.

The same OAuth standard that powers Slack, Notion, and every enterprise app β€” applied to your tweets.

Built by people who care about their own accounts too.

Security FAQ.

Does Rotating Posts store my Twitter/X password?
No. OAuth 2.0 means you log in on Twitter's own site and Twitter tells us you approved access. We never receive, see, or store your password at any point.
What is PKCE and why does it matter?
PKCE (Proof Key for Code Exchange) prevents a class of attack where someone intercepts the authorization code mid-flight and tries to use it. The code is cryptographically bound to a random secret we generate β€” if intercepted, it's worthless without that secret.
Has this ever caused an account suspension?
No. We post only original content at human-paced intervals using the official X API. The only behavior that triggers bans (spam, buying followers, automation outside the API) is not something we do.
What happens to my data if I delete my account?
Deleting your Rotating Posts account removes all stored tweets, settings, and your access token from our database. We retain nothing.
Can I use Rotating Posts without giving write access?
No β€” posting on your behalf requires write access. That's the whole product. But the scope is strictly limited to tweet posting.

Safe, automatic, and free to start.

No password shared. No card required. Cancel from X settings whenever you want.

Start Rotating β€” Free

Questions? Check the How It Works page or email us.