A Chrome extension that provides X/Twitter API functionality with proper authentication and transaction ID generation.

• Auto Bearer Token Extraction: Automatically captures Bearer tokens from X.com API requests
• CSRF Token Management: Extracts and manages X-CSRF-Token headers
• X-Client-Transaction-ID Generation: Uses the xclienttransaction library to generate proper transaction IDs for X API requests
• SearchTimeline QueryID Extraction: Dynamically extracts GraphQL query IDs from X.com's JavaScript bundles
• Web Summarization: Built on Chrome's experimental summarization API

• Chrome browser with AI Summarization API support
• Node.js and npm installed
• Access to x.com/twitter.com (extension requires host permissions)

1. Clone this repository

   git clone <repository-url>
   cd smol-twemex

2. Install dependencies

   npm install

3. Build the extension

   npm run build

   Important: Always build before loading the extension as there are build steps for content scripts.

4. Load the extension in Chrome

   • Open Chrome and go to chrome://extensions/
   • Enable "Developer mode" (toggle in top-right)
   • Click "Load unpacked" and select the project root directory (not the dist folder)
   • The extension icon should appear in your toolbar

5. Test the extension

   • Visit x.com or twitter.com and log in
   • Click the extension icon to open the side panel
   • The extension will automatically:
     • Initialize the X-Client-Transaction-ID generator
     • Extract Bearer and CSRF tokens from your browsing session
     • Generate fresh transaction IDs for API requests

┌─────────────────┐    ┌─────────────────┐    ┌─────────────────┐
│   Sidepanel     │    │  Background     │    │ Content Script  │
│   (index.js)    │    │ (background.js) │    │(transaction-gen)│
└─────────────────┘    └─────────────────┘    └─────────────────┘
         │                        │                        │
         │ 1. GET_AUTH_TOKENS     │                        │
         ├────────────────────────▶                        │
         │                        │                        │
         │                        │ 2. Find x.com tab     │
         │                        │ 3. generateTID         │
         │                        ├────────────────────────▶
         │                        │                        │
         │                        │ 4. Fresh TxnID         │
         │                        ◀────────────────────────┤
         │                        │                        │
         │ 5. All tokens          │                        │
         ◀────────────────────────┤                        │
         │                        │                        │
         │ 6. API Request         │                        │
         │ (with fresh TxnID)     │                        │
         └────────────────────────┼────────────────────────┼───▶ x.com API
                                  │                        │
                                  │ 7. Extract tokens      │
                                  │ via webRequest         │
                                  │                        │

1. User clicks "Debug: Fetch Tweets" in sidepanel
2. Sidepanel → Background: GET_AUTH_TOKENS message
3. Background script:
   • Retrieves Bearer/CSRF tokens from storage
   • Finds active x.com tab
   • Background → Content Script: generateTID message
4. Content Script (runs on x.com):
   • Auto-initializes XClientTransaction library (fetches x.com + ondemand.js)
   • Generates fresh transaction ID using proper algorithm
   • Content Script → Background: Returns transaction ID
5. Background → Sidepanel: Returns all tokens (Bearer, CSRF, TransactionID, QueryID)
6. Sidepanel: Makes API request to x.com with fresh tokens
7. Background webRequest: Captures new tokens from live API traffic

The extension uses the xclienttransaction library in content script context to bypass CORS:

1. Content Script Initialization: Runs on x.com pages, fetches homepage + ondemand JavaScript (same-origin)
2. Animation Data Extraction: Parses SVG animation data from X.com's loading animations
3. Key Byte Extraction: Extracts cryptographic keys from X.com's JavaScript bundles
4. Fresh Generation: Creates new transaction IDs for each API request using proper algorithm

• Bearer Token: Extracted from outgoing API requests via chrome.webRequest API
• CSRF Token: Captured from X-CSRF-Token headers in API calls
• Transaction ID: Generated fresh per request by content script (no CORS issues)
• QueryID: Dynamically extracted from X.com's main JavaScript bundle with 1-hour caching

The extension provides a message-based API for other scripts:

// Get all authentication tokens
chrome.runtime.sendMessage({
  type: 'GET_AUTH_TOKENS'
}, (response) => {
  const { bearerToken, csrfToken, transactionId, searchTimelineQueryId } = response;
  // Use tokens for X API requests
});

// Generate fresh transaction ID for specific request
chrome.runtime.sendMessage({
  type: 'GENERATE_TRANSACTION_ID',
  method: 'POST',
  path: '/i/api/graphql/SearchTimeline'
}, (response) => {
  const { transactionId } = response;
});

• background.js: Service worker handling token extraction, message routing, and webRequest monitoring
• scripts/transaction-generator.js: Content script (x.com pages) with XClientTransaction library for generating fresh transaction IDs
• sidepanel/: UI for displaying summaries and triggering API requests
• scripts/extract-content.js: Content script for extracting webpage content for summarization
• dist/: Built extension files (generated by rollup)

• xclienttransaction: X-Client-Transaction-ID generation
• @mozilla/readability: Content extraction for summarization
• rollup: Build system for content scripts

• Transaction Generator: Initialized once on startup, reused for all requests
• QueryID: Cached for 1 hour to avoid excessive main.js fetching
• Tokens: Stored in chrome.storage.local and updated from live API requests

• Fallback hardcoded QueryID if extraction fails
• Graceful degradation when transaction generator initialization fails
• Comprehensive logging with color-coded console output

1. Ensure you've run npm run build after any code changes
2. Check Chrome Developer Tools > Extensions for error messages
3. Verify you're logged into x.com/twitter.com
4. Check the extension has host permissions for x.com and twitter.com

1. Check x.com page console for [TXN-CS] content script logs
2. Ensure you're on x.com: Content script only loads on x.com/twitter.com pages
3. Check background console for [BG][TXN] message passing logs
4. Verify content script injection: Look for "Transaction generator content script loaded" message
5. Try refreshing the x.com page if content script fails to initialize

1. Visit x.com and perform some actions (tweet, search, etc.) to trigger API calls
2. Check chrome.storage.local in DevTools to see if tokens are being stored
3. Ensure the extension has proper webRequest permissions

• X-Client-Transaction-ID Library
• Chrome Extension Manifest V3
• Chrome AI Summarization API
• X/Twitter API Research

MIT

On-device Summarization with Gemini Nano

This sample demonstrates how to use the experimental Summarization API in Chrome. To learn more about the API and how to sign-up for the preview, head over to the summarizer guide on developer.chrome.com.

The extension summarizes the content of the currently open tab. It uses Mozilla's readability library to extract the content of the currently active tab and displays a summary of the page generated by Chrome's experimental summarization API in a side panel.

1. Clone this repository
2. Run npm install in this folder to install all dependencies.
3. Run npm run build to build the extension.
4. Load the newly created dist directory in Chrome as an unpacked extension.
5. Click the extension icon to open the summary side panel.
6. Open any web page, the page's content summary will automatically be displayed in the side panel.

If you use this sample as the foundation for your own extension, be sure to update the "trial_tokens" field with your own origin trial token and to remove the "key" field in manifest.json.