How to bypass "Unauthorized character in header" for the Twitter API (and get a user's followers)

Post has been deleted due to me not explaining stuff properly and therefore making it a useless tutorial. if you want a detailed explanation on how to do this please contact me on Discord at debees#0691

Basic things you need :

  • heroku account
  • github account
  • your own fork of ProxyService
  • twitter developer account

For any info on how to setup any of these, again, please DM!

3 Likes

I really, really, wouldn’t recommend putting any API keys in any public or private code directly!! It’s essentially like giving someone else your Roblox login and telling them to go nuts. Instead, use environment variables/secrets.

Heroku (and GitHub) has a section in the settings for your project to assign secrets to the application. Other hosts, such as Glitch or Replit, may support .env files instead.

The bearer header would instead resemble something like this:

proxyReq.setHeader("Authorization", `Bearer ${process.env.TWITTER_KEY}`)
5 Likes

Definetly! I didn’t include this because I didn’t want to make the tutorial any harder but you are right, to anyone trying this I suggest doing this as well, I marked your response as a solution so everyone can know!

After some thinking I decided I’ll just host my own proxy but I still decided to share this as It’s relatively easy and offers people some info on how to make such a thing

1 Like

Replit doesn’t support .env unfortunately. They deprecated them. Replit use environment variables/secrets instead as well.

1 Like

this is very quickly veering off topic; however, Git allows you to view the commit history. unless the repo is private, anyone can backtrack to a commit where the API key is present and still access it

Oh, I’m not very experienced in GitHub so I had no clue lol

I think I followed everything correctly, but when I print results I get:

10:57:12.495 â–Ľ {
[“body”] = “{
“title”: “Unauthorized”,
“type”: “about:blank”,
“status”: 401,
“detail”: “Unauthorized”
}”,
[“headers”] = :arrow_forward: {…},
[“status”] = ▼ {
[“code”] = 401,
[“message”] = “Unauthorized”
}
} - Server - API Test:7

HttpService requests are enabled

I don’t have the headers table open either, cause there were a ton of stuff I didn’t know what they meant, afraid if it’s stuff that can be shared/etc.

Place is also public (read somewhere that errors like this can occur from that)

local Twitter_Id = 1962977918
local Access_Key = folder:GetAttribute("Access Key") -- just so I don't show the actual key

local ProxyService = require(script.ModuleScript)

local proxy = ProxyService:New("https://ninjo-games.herokuapp.com/", Access_Key )
local results = proxy:Get("https://api.twitter.com/2/users/" .. Twitter_Id .. "/followers?", false)
print(results)

App is also named ninjo-games
image

EDIT up doing testing, I think it might have something to do with the allowed hosts?? I don’t really wanna edit this though in case I am wrong, but following Fixing HttpService: Make PUT, PATCH, DELETE requests, access response headers, proxy to any site, and more and I managed to get stuff to work using like roblox api. So I assume I’d just paste like a twitter api into the allowed hosts?? I don’t wnana break anything tho
image

1 Like

Do I need to set any settings for this to work?

did you paste in the bearer key in the github repo and hide it? and yes the bearer token isn’t something sharable lol

I’m sorry, but I still don’t appreciate what you’re saying; please repeat yourself.