Skip to main content
Xquik is a hosted SaaS platform for X (Twitter) data. All data processing happens server-side. There is no infrastructure to deploy, no workers to manage, and no X API credentials to configure. You interact with Xquik through the REST API, MCP server, or dashboard.

Architecture overview

┌──────────────────────────────────────────────────┐
│                    Clients                        │
│  REST API  ·  MCP Server  ·  Dashboard  ·  CLI   │
└──────────────────────┬───────────────────────────┘
                       │ HTTPS
┌──────────────────────▼───────────────────────────┐
│                  Xquik Server                     │
│  Next.js App Router  ·  API Routes  ·  MCP Host  │
├───────────────────────────────────────────────────┤
│  Auth  ·  Rate Limiter  ·  Usage Tracking         │
├───────────────────────────────────────────────────┤
│  Extraction Engine · Draw Engine · Monitors · Write API │
└──────────┬──────────────────────┬─────────────────┘
           │                      │
┌──────────▼──────────┐  ┌───────▼─────────────────┐
│     Database        │  │   Xquik Stream Service   │
│                     │  │  Real-time event         │
│                     │  │  processing & webhooks   │
└─────────────────────┘  └───────┬─────────────────┘

                        ┌────────▼────────┐
                        │   X API Layer   │
                        └─────────────────┘

Components

ComponentRole
REST API122 endpoints at https://xquik.com/api/v1/* for programmatic access
MCP Server2 tools (explore + xquik) at https://xquik.com/mcp for AI agent integration
DashboardWeb UI for managing monitors, running extractions, viewing results
Xquik StreamBackground service that maintains WebSocket connections to X and delivers webhook events
DatabasePrimary datastore for all user data, extraction results, events, and job state
X API LayerManaged access to X data with automatic retry and rate management
Write APIPost tweets, like, retweet, follow, DM, profile updates, and media uploads via connected X accounts
IntegrationsTelegram bots and notification channels for formatted monitor events
See integration workflows for end-to-end code examples using these components.

Security model

Authentication

Xquik uses API key authentication for all API and MCP access. The MCP server also supports OAuth 2.1 for platforms that require it (Claude.ai, ChatGPT Developer Mode).
AspectDetail
Headerx-api-key (lowercase, required on every request)
Key formatxq_ prefix + 64 hex characters
StorageKeys are hashed at rest. Xquik never stores plaintext keys
RevocationInstant via dashboard or API. Revoked keys return 401 immediately
Last usedTracked per key for audit purposes
OAuth 2.1MCP server supports OAuth 2.1 with PKCE for Claude.ai and ChatGPT Developer Mode
Session authDashboard uses session cookies (magic link login)
API keys are shown once at creation. Store them securely. There is no way to retrieve a key after creation.

Data isolation

Every API key is scoped to a single user account. There is no cross-user access.
ResourceIsolation
MonitorsEach user sees only their own monitors
EventsEvents are scoped to the user’s monitors
WebhooksWebhook endpoints and delivery logs are per-user
ExtractionsExtraction jobs and results belong to the creating user
DrawsGiveaway draws and winner lists are per-user
API KeysUsers manage only their own keys (session auth required)
Attempting to access another user’s resources returns 404 Not Found (not 403), preventing enumeration attacks.

Authorization

Xquik uses a flat permission model: no roles, no RBAC, no team workspaces.
  • One user, one account: Each account has full access to all its own resources
  • API key = full access: Any valid API key for an account can perform all operations that account is authorized for
  • Session-only endpoints: API key management (/api/v1/api-keys/*) requires session auth (dashboard login), not API key auth. You cannot create or revoke API keys using an API key.
  • Subscription gates: Metered endpoints (extractions, draws, X lookups) require an active subscription. Management endpoints (monitors, webhooks, events) work without a subscription.

Rate limits

Rate limits are enforced per user account using a fixed-window counter algorithm. Each tier has an independent counter that resets every 60 seconds.
TierMethodsLimit
ReadGET, HEAD, OPTIONS120 per 60s
WritePOST, PUT, PATCH30 per 60s
DeleteDELETE15 per 60s
When the limit is reached, requests return 429 Too Many Requests with a Retry-After: 60 header. See the Rate Limits guide for detailed explanations, backoff strategies, and client-side rate limiter code examples.

Usage & billing

AspectDetail
Subscription2020-199/month. Includes 1 monitor + monthly credit allowance
Additional monitors$5/month each
Credit top-upsPurchase additional credits at $0.00015/credit via the dashboard. See Billing & Usage

What counts as usage

Metered (consumes quota)Free (unlimited)
Tweet searchesMonitor management
User lookupsEvent retrieval
Follower checksWebhook management
ExtractionsIntegration management
DrawsAPI key management
TrendsAccount management
Write actions (tweet, like, retweet, follow, DM, profile, media)X account management
Radar
Style cache management
Drafts
See Billing & Usage for credit costs and billing.

Monitoring architecture

Xquik monitors X accounts in real time through a dedicated background service. 
X Data Stream


┌─────────────────┐     ┌──────────────────┐
│  Xquik Stream   │────▶│    Database      │
│    Service      │     │                  │
└────────┬────────┘     └──────────────────┘


┌─────────────────┐
│ Webhook Delivery │
│ HMAC-signed POST │
│ 5 retries, exp.  │
│ backoff           │
└─────────────────┘
AspectDetail
Event typestweet.new, tweet.reply, tweet.quote, tweet.retweet, follower.gained, follower.lost
DeliveryHMAC-SHA256 signed HTTPS POST to registered webhook endpoints
Retries5 attempts with exponential backoff (1s, 2s, 4s, 8s, 16s)
TimeoutWe recommend webhook endpoints respond with 2xx within 10 seconds
PropagationEvents appear within seconds to minutes depending on X API latency

Platform limitations

LimitationDetail
Single regionAll data is processed and stored in a single datacenter (no multi-region replication)
Bookmarked tweetsBookmarks require an authenticated X account connection
Export capFile exports are capped at 100,000 rows per extraction (10,000 for PDF). Formats: CSV, JSON, MD, MD Document, PDF, TXT, XLSX
Webhook retries5 attempts maximum. After exhaustion, the delivery is marked as exhausted
Monitor default1 monitor included per subscription. Additional monitors cost $5/month each

Next steps

Quickstart

Get up and running with your first API call.

Authentication

API key format, header requirements, and dual auth.

Rate Limits

Fixed-window limits, backoff strategies, and code examples.

Billing & Usage

Pricing, credit allowances, and billing.