Reset Password (two-step)
Two-step Twitter/X account recovery — you trigger the reset, the owner supplies the emailed code, you get fresh tokens. Works for any mailbox. $0.005 per step.
/twitter/reset-password/send-codeA two-step recovery flow for when you don't have (or can't read) the mailbox: you trigger the reset, the account owner reads the emailed code from their own inbox and hands it back, and we complete the reset and return fresh tokens. Because the owner reads the code, this works for any email provider — including Hotmail/Outlook, Gmail and Yahoo (which the auto-read User Login V2 can't handle).
It's effectively a "refresh the tokens" tool: it sets a new password we control and returns a fresh auth_token / ct0 / twid. Each step costs $0.005 per call.
Step 1 — Send the code
/twitter/reset-password/send-codeTriggers X's password-reset email for the account and returns a session_id.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
username | string | Yes | Twitter username (without @) |
proxy | string | No | Proxy URL for the reset trigger |
Response (200)
{
"status": "success",
"session_id": "1d171e717491ab...",
"expires_in": 900,
"message": "A password-reset code was emailed to the account. Submit it to /twitter/reset-password/confirm with this session_id."
}The session_id is valid for ~15 minutes (the code's lifetime).
Step 2 — Confirm with the code
/twitter/reset-password/confirmCompletes the reset with the code the owner received, and returns fresh tokens plus the new password.
Save the returned new_password. It's the account's password now.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
session_id | string | Yes | From step 1 |
code | string | Conditional | The reset code the owner read from their email. Required on the first confirm. On a 2FA resume (after a TOTP_REQUIRED response) the code is already consumed — send session_id + totp_secret and omit code. |
totp_secret | string | Conditional | Base32 TOTP secret — required if the account has 2FA |
Response (200)
Same shape as User Login V2:
{
"username": "myaccount",
"new_password": "Gx7hcuyxk5xr",
"auth_token": "59bace0de501...",
"ct0": "9959...",
"twid": "u=155977652",
"profile": { "...": "..." }
}Error Responses
Errors include a code field:
| HTTP | code | Meaning |
|---|---|---|
| 404 | ACCOUNT_NOT_FOUND | Account not found (suspended, deleted, or renamed) |
| 410 | SESSION_EXPIRED | Unknown/expired session_id — start again at step 1 |
| 409 | SESSION_BUSY | A confirm is already in progress for this session — retry shortly |
| 400 | CODE_REJECTED | Wrong code — the session stays valid, retry with the correct code |
| 400 | TOTP_REQUIRED | Account has 2FA — password was already reset (new_password is returned); call confirm again with the same session_id and totp_secret |
| 502 | TWO_FA_FAILED | 2FA failed — check totp_secret, retry with the same session_id (password already reset) |
Once the password is set, the flow is resumable: a missing/wrong totp_secret never loses new_password — retry 2FA with the same session_id rather than restarting.
When to use which
- User Login V2 — one call if you have the mailbox password and it's a supported provider (GMX/mail.com, Hotmail/Outlook).
- This two-step flow — when you don't have the mailbox password, the provider isn't auto-readable (Gmail/Yahoo), or the account owner is in the loop to read the code.
Example
# 1) send the code
curl -X POST "https://api.getxapi.com/twitter/reset-password/send-code" \
-H "Authorization: Bearer API_KEY" \
-H "Content-Type: application/json" \
-d '{ "username": "myaccount" }'
# 2) confirm with the code the owner received
curl -X POST "https://api.getxapi.com/twitter/reset-password/confirm" \
-H "Authorization: Bearer API_KEY" \
-H "Content-Type: application/json" \
-d '{ "session_id": "<from step 1>", "code": "avfw47d9", "totp_secret": "SXGS5MN2IHUMV34H" }'User Login V2 (Recovery)New
Recover a Twitter/X account with a dead token and changed password via the mailbox. Returns fresh tokens + a new password. $0.005 per call.
List Members
Get all members of a public Twitter/X list via API. $0.001 per call, ~20 users per call. GetXAPI list members endpoint documentation.