Native X/Twitter automation client with multiple posting strategies and GraphQL-based reading. Built to bypass bot detection (Error 226) encountered when posting via cookie-auth sessions.
This repo is runnable and already supports the main intended operator split:
- official API posting for reliable writes
- session/cookie-backed reading for timeline and account inspection
- thread draft validation before posting
xbot/
├── src/
│ ├── cli.js # Unified CLI (read + official API post)
│ ├── client.js # XClient: direct GraphQL fetch for reading
│ ├── post_official.js # Official Twitter API v2 poster (OAuth 1.0a — Option 1)
│ └── credentials.js # Shared credential loader (.env + georgerepo tokens)
├── research/
│ └── X_VIRALITY.md # Notes on recommendation dynamics and posting philosophy
├── setup/
│ └── OFFICIAL_API_SETUP.md # Durable setup note for X official API read/write access
├── README.md
└── IMPROVEMENTS.md # Backlog and bot-detection strategy options
Three strategies are available, ordered by reliability. See IMPROVEMENTS.md for full
trade-off analysis.
| Strategy | File | Reliability | Notes |
|---|---|---|---|
| Option 1: Official API v2 | post_official.js |
Highest | Requires dev app OAuth keys |
| Option 2: Session warming | (inline patch) | Medium | No extra credentials |
| Option 3: Playwright browser | cli.js post |
Variable | Uses real Chrome profile |
npm installnpm run env
npm testSet in a local .env file, a private env file referenced by your shell, or the shell environment:
AUTH_TOKEN=...
CT0=...
Typical shell setup before read commands:
set -a
source ../georgerepo/.tokens/x-twitter.env
set +aAdd these to .env in this directory or to georgerepo/.tokens/x-twitter.env:
X_API_KEY=...
X_API_SECRET=...
X_ACCESS_TOKEN=...
X_ACCESS_TOKEN_SECRET=...
These are separate from the cookie-based read credentials (AUTH_TOKEN, CT0).
Posting will not work until all four API values are present.
For workflows that must not use the default/private X account, point xbot at
a dedicated env file:
XBOT_ENV_FILE=../georgerepo/.tokens/x-sports-radar.env node src/cli.js outliers \
--query "NBA OR NFL"Values in XBOT_ENV_FILE override the default private token file and ambient
shell credentials for that process. Use this for Sports Radar or other
account-specific research lanes where the account boundary matters.
node src/cli.js post "Your tweet text here"node src/cli.js post --image /absolute/path/to/image.png "Your tweet text here"node src/cli.js post --reply-to 1234567890123456789 "Your reply text here"node src/cli.js thread-validate ../georgerepo/social-media/text/platforms/x-linkedin-threads/2026-04-14_builder-vs-coder-ai-thread.mdnode src/cli.js thread-post ../georgerepo/social-media/text/platforms/x-linkedin-threads/2026-04-14_builder-vs-coder-ai-thread.mdnode src/cli.js home --count 10node src/cli.js latest --count 10node src/cli.js menode src/cli.js user <handle> --count 10node src/cli.js outliers \
--queries "AI agents,Claude Code,context engineering,agent reliability" \
--count 20 \
--limit 10Use JSON when saving runs for later analysis:
node src/cli.js outliers --query "AI agents" --count 50 --format json- Open the X Developer Console at
https://console.x.comand sign in with the X account that should own the posts. - Accept the Developer Agreement if the account has not been enrolled yet.
- Click
New Appand create an app for this posting workflow. - In the app settings, make sure the app permission level is
Read and write. - In
Keys and tokens, generate and save these credentials immediately:- API Key
- API Secret
- Access Token
- Access Token Secret
- Add the four values to
georgerepo/.tokens/x-twitter.envorxbot/.env:X_API_KEY=... X_API_SECRET=... X_ACCESS_TOKEN=... X_ACCESS_TOKEN_SECRET=...
- If you changed app permissions after generating tokens, regenerate the access token and secret so they pick up the new scope.
From the workspace root:
node xbot/src/cli.js post "hello from xbot official api"If credentials are missing, xbot will tell you exactly which env vars are absent.
On success, it prints the created tweet ID.
Missing credentials: one or more of the fourX_*API variables are not loaded.403or permission errors: the app is stillRead only, or the access token was generated before switching toRead and write.- Read commands working but post failing: this usually means only
AUTH_TOKENandCT0are present. Read and write auth are separate in this repo.
Chrome profile defaults (edit src/client.js to override):
- Path:
~/Library/Application Support/Google/Chrome - Profile:
Default
- Keep posting stable through the official API path.
- Keep read-side commands useful for research, account checks, and outlier discovery.
- Make auth boundaries explicit so failures are diagnosable.
- Preserve a local CLI contract that an agent can operate without hidden glue.
- replacing X's platform constraints with fake reliability claims
- turning
xbotinto a generic social scheduler - blurring read and write auth into one magic credential path
research/X_VIRALITY.md— working notes on what seems to drive reach on X, how to think about recommendation surfaces, and practical posting philosophy for builders.
setup/OFFICIAL_API_SETUP.md— exact console flow, credential mapping, and failure modes for gettingxbotonto the official X API with read/write access.
Created: Early 2026
Motivation: The bird CLI tool (cookie-auth GraphQL) reliably reads X data but
triggers error 226 ("automated request") on write operations. xbot was built as a
stealth Playwright alternative and later extended with official API v2 support for
reliable posting.