GetXAPI
Users

Reset Password (two-step)

Two-step Twitter/X account recovery — you trigger the reset, the owner supplies the emailed code, you get fresh tokens. Works for any mailbox. $0.005 per step.

POST/twitter/reset-password/send-code

A two-step recovery flow for when you don't have (or can't read) the mailbox: you trigger the reset, the account owner reads the emailed code from their own inbox and hands it back, and we complete the reset and return fresh tokens. Because the owner reads the code, this works for any email provider — including Hotmail/Outlook, Gmail and Yahoo (which the auto-read User Login V2 can't handle).

It's effectively a "refresh the tokens" tool: it sets a new password we control and returns a fresh auth_token / ct0 / twid. Each step costs $0.005 per call.

Step 1 — Send the code

POST/twitter/reset-password/send-code

Triggers X's password-reset email for the account and returns a session_id.

Request Body

FieldTypeRequiredDescription
usernamestringYesTwitter username (without @)
proxystringNoProxy URL for the reset trigger

Response (200)

{
  "status": "success",
  "session_id": "1d171e717491ab...",
  "expires_in": 900,
  "message": "A password-reset code was emailed to the account. Submit it to /twitter/reset-password/confirm with this session_id."
}

The session_id is valid for ~15 minutes (the code's lifetime).

Step 2 — Confirm with the code

POST/twitter/reset-password/confirm

Completes the reset with the code the owner received, and returns fresh tokens plus the new password.

Save the returned new_password. It's the account's password now.

Request Body

FieldTypeRequiredDescription
session_idstringYesFrom step 1
codestringConditionalThe reset code the owner read from their email. Required on the first confirm. On a 2FA resume (after a TOTP_REQUIRED response) the code is already consumed — send session_id + totp_secret and omit code.
totp_secretstringConditionalBase32 TOTP secret — required if the account has 2FA

Response (200)

Same shape as User Login V2:

{
  "username": "myaccount",
  "new_password": "Gx7hcuyxk5xr",
  "auth_token": "59bace0de501...",
  "ct0": "9959...",
  "twid": "u=155977652",
  "profile": { "...": "..." }
}

Error Responses

Errors include a code field:

HTTPcodeMeaning
404ACCOUNT_NOT_FOUNDAccount not found (suspended, deleted, or renamed)
410SESSION_EXPIREDUnknown/expired session_id — start again at step 1
409SESSION_BUSYA confirm is already in progress for this session — retry shortly
400CODE_REJECTEDWrong code — the session stays valid, retry with the correct code
400TOTP_REQUIREDAccount has 2FA — password was already reset (new_password is returned); call confirm again with the same session_id and totp_secret
502TWO_FA_FAILED2FA failed — check totp_secret, retry with the same session_id (password already reset)

Once the password is set, the flow is resumable: a missing/wrong totp_secret never loses new_password — retry 2FA with the same session_id rather than restarting.

When to use which

  • User Login V2 — one call if you have the mailbox password and it's a supported provider (GMX/mail.com, Hotmail/Outlook).
  • This two-step flow — when you don't have the mailbox password, the provider isn't auto-readable (Gmail/Yahoo), or the account owner is in the loop to read the code.

Example

# 1) send the code
curl -X POST "https://api.getxapi.com/twitter/reset-password/send-code" \
  -H "Authorization: Bearer API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "username": "myaccount" }'

# 2) confirm with the code the owner received
curl -X POST "https://api.getxapi.com/twitter/reset-password/confirm" \
  -H "Authorization: Bearer API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "session_id": "<from step 1>", "code": "avfw47d9", "totp_secret": "SXGS5MN2IHUMV34H" }'

On this page