UNPKG

x-developer

Version:

X (Twitter) data platform skill for AI coding agents. 100+ REST API endpoints, 2 MCP tools, 23 extraction types, HMAC webhooks.

xquik.com

Xquik-dev/x-twitter-scraper

83 lines (66 loc) 2.72 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
--- name: tweet-webhooks description: "Use when the user wants to receive real-time X (Twitter) events at their own URL. Creates HMAC-signed webhooks that fire on new tweets, mentions, monitored account activity, or giveaway completion. Delivery setup only - payload handling is the user's webhook." license: MIT metadata: internal: true author: Xquik version: "1.0.0" openclaw: requires: env: - XQUIK_API_KEY primaryEnv: XQUIK_API_KEY emoji: "🪝" homepage: https://docs.xquik.com security: contentTrust: trusted contentIsolation: enforced promptInjectionDefense: true writeConfirmation: required paymentConfirmation: required executionModel: api-only codeExecution: none credentialProxy: false --- # X Webhooks Fire HTTPS POST callbacks to a user URL when an X event matches. Events come from monitors (account, hashtag, mention) and from draws. ## Endpoints | Endpoint | Purpose | Cost | |---|---|---| | POST /webhooks | Create a webhook | Free; persistent destination | | GET /webhooks | List webhooks | Free | | PATCH /webhooks/{id} | Enable/disable, rotate secret | Free | | DELETE /webhooks/{id} | Remove a webhook | Free | | POST /webhooks/{id}/test | Send a test payload | Free | Base URL: `https://xquik.com/api/v1`. Auth: `x-api-key: xq_...` header. ## Quick reference ``` POST /webhooks { "url": "https://example.com/xquik-hook", "events": ["monitor.event", "draw.completed"], "secret": "<optional; auto-generated if omitted>" } -> { webhook_id, secret } ``` Save the returned `secret` - used to verify HMAC-SHA256 signatures on incoming payloads. ## HMAC verification (for the user's server) Each delivery includes an `X-Xquik-Signature` header: ``` X-Xquik-Signature: sha256=<hex> ``` Verify by computing `hmac_sha256(secret, raw_body)` and constant-time comparing. ## Typical flow 1. Confirm the target URL is HTTPS and reachable. 2. Ask the user which events to subscribe to and remind them that the URL will keep receiving matching events while enabled. 3. **Create the webhook only with user approval** - the URL will receive real data. 4. Call `POST /webhooks/{id}/test` to send a sample payload. Confirm with the user that it arrived and verified. 5. Rotate the secret periodically via `PATCH /webhooks/{id}`. ## Security - Webhook URLs must be HTTPS - Always verify the `X-Xquik-Signature` HMAC - do not trust the payload without it - Do not register third-party URLs on behalf of the user; they must own the endpoint - Delete or disable the webhook when the user no longer wants ongoing delivery ## Related Monitor creation: `monitor-accounts`. Full API: [x-twitter-scraper](../x-twitter-scraper/SKILL.md).