Vibble API OAuth & Authentication Guide

This guide outlines how applications authenticate with Vibble, how OAuth tokens are issued and managed, and the security requirements for handling user identities and sessions.

1. Authentication Models

Vibble supports industry-standard authentication models to protect user accounts and API access:

  • OAuth 2.0 for delegated user access.
  • Client Credentials for server-to-server integrations.
  • Short-lived Access Tokens with optional refresh tokens for specific flows.

2. OAuth Scopes

Applications must request the minimum set of scopes necessary, such as:

  • read:posts – Read a user’s public posts and timelines.
  • write:posts – Publish posts on behalf of the user.
  • read:dm / write:dm – Direct message access (highly restricted).
  • read:account – Basic account profile and settings.

Overly broad scopes may result in rejection during app review or force-downscaling by Vibble’s Trust & Safety teams.

3. User Consent & Authorization Screens

  • Users must see a clear, honest description of your app and requested permissions.
  • You may NOT misrepresent your identity, business, or usage of granted data.
  • Consent must be freely given and revocable at any time via Vibble account settings.

4. Token Security & Storage

  • Access and refresh tokens must be stored server-side only.
  • Tokens must be encrypted at rest and transmitted over HTTPS/TLS.
  • Do not log tokens in plaintext or expose them in URLs, screenshots, or client code.
  • Implement automatic token rotation and revocation handling.

5. Session Management & Revocation

Users can revoke your app’s access at any time from Vibble’s security settings. Upon revocation:

  • Your app must immediately stop using the token.
  • You must delete or anonymize personal data that is no longer required.
  • Any further requests using revoked tokens will be rejected by the API.

6. Multi-Factor Authentication (MFA)

For sensitive operations (posting on behalf of high-profile accounts, accessing DMs, or admin tools), Vibble may require MFA. Your integration must not bypass or weaken MFA requirements.

7. Application Review & Risk Levels

  • High-risk scopes (DMs, email, advanced search) may require manual security review.
  • Apps dealing with political, financial, or health-related data may undergo enhanced checks.
  • Nexa-Group may request architecture diagrams or security documentation.

8. Handling Compromised Credentials

If you suspect a token or client secret is compromised:

  • Immediately revoke and rotate keys.
  • Notify Vibble Security at security@vibble.org.
  • Conduct an internal investigation and maintain incident logs.

9. Compliance & Legal Obligations

Authentication data is subject to global privacy regulations. You must comply with:

  • GDPR data minimization and security principles.
  • CCPA access and deletion rights where applicable.
  • Any contractual obligations under Nexa-Group data processing agreements.

10. Contact

Developer Auth Support: dev-auth@vibble.org
Security & Incident Reporting: security@vibble.org
Legal & Compliance: legal@nexa-group.org

Дали Ви помогна овој одговор? 0 Корисниците го најдоа ова како корисно (0 Гласови)

Популарни прашања

API Terms of Us

Vibble API Terms of Use These API Terms govern developer access to the Vibble API...
Streaming API Rules

Vibble Streaming API Rules These rules govern access to Vibble’s real-time Streaming...
Rate Limit Documentation

Vibble API Rate Limit Policy This document describes how Vibble applies rate limits...
Webhooks Policy

Vibble Webhooks Policy This policy governs how external applications may register...
Bot & Automation Rules for API Users

Vibble Bot & Automation Rules These rules govern automated accounts, bots, and...