Subscribing to private events
Private XAA event types (legacy DMs, encrypted chat, likes, and others marked Private in Event types and authentication) require explicit user authorization: OAuth 2.0 user context or OAuth 1.0a user access. Application-only Bearer tokens are not sufficient.
This page shows the same subscription HTTP shape as
Subscribing to public events, but with
xurl --auth oauth2 or xurl --auth oauth1.
Prerequisites
- An X app with XAA access and a registered webhook
- A real user who signs in with X and approves your app with the right permissions
-
User tokens registered in
xurlfor--auth oauth2or--auth oauth1
The xurl README documents OAuth 2.0 user and OAuth 1.0a user flows. The xURL chapter covers installing the tool and app bearer registration; extend that setup with user credentials before continuing.
Who the user_id filter refers to
For private streams, the user_id in your filter must be a user who has
authorized your app. In the common “subscribe to my own DMs or chat”
case, that is the same user whose OAuth profile you select with
--auth oauth2 or --auth oauth1.
Example: subscribe with user auth
Below, the authenticated user is subscribing to their own incoming
encrypted messages (chat.received):
xurl --auth oauth2 /2/activity/subscriptions -X POST -d '{
"event_type": "chat.received",
"filter": {
"user_id": "AUTHORIZED_USER_ID"
},
"webhook_id": "YOUR_WEBHOOK_ID",
"tag": "my chat inbox"
}'
If your token or scopes are wrong, X returns an OAuth or permission error instead of a
200 subscription body—treat that as a configuration issue.
Success response
{
"data": {
"subscription": {
"created_at": "2025-10-07T05:31:56Z",
"event_type": "chat.received",
"filter": {
"user_id": "AUTHORIZED_USER_ID"
},
"subscription_id": "1146654567674912769",
"tag": "my chat inbox",
"updated_at": "2025-10-07T05:31:56Z",
"webhook_id": "YOUR_WEBHOOK_ID"
}
},
"meta": {
"total_subscriptions": 1
}
}
Listing with user context
When you call GET /2/activity/subscriptions with the same user profile you
used to create private subscriptions, the response includes
only the subscriptions created under that specific user’s authorization.
xurl --auth oauth2 /2/activity/subscriptions
Other private events
The same user-OAuth flow applies to any event marked Private. For
example, like.create also accepts the optional direction
filter:
xurl --auth oauth2 /2/activity/subscriptions -X POST -d '{
"event_type": "like.create",
"filter": {
"user_id": "AUTHORIZED_USER_ID",
"direction": "outbound"
},
"webhook_id": "YOUR_WEBHOOK_ID",
"tag": "my likes"
}'
Use "direction": "inbound" to track likes received on that user's
posts. See Direction filter for details.