← back to reciproq

permissions

why chrome shows what it shows when you install reciproq.

chrome shows you a scary-looking permission prompt when you install reciproq. here's exactly what each permission is for, in plain language. if anything below feels off, don't install us.

storage

what chrome calls it: "store data locally on your device."

what reciproq actually does with it: saves two things, both on your device only:

• your reply threshold (the daily target you picked, between 5 and 30).
• today's reply count + the date so we know when to reset at midnight.

what we don't do with it: no cloud sync unless you explicitly sign in. no fingerprints. no history.

alarms

what chrome calls it: "schedule background tasks."

what reciproq actually does with it: schedules exactly one alarm: reset the daily counter at midnight in your timezone.

what we don't do with it: no background polling, no analytics pings, no remote checks.

webRequest

what chrome calls it: "read or modify your network requests."

what reciproq actually does with it: watches for two specific requests on x.com / twitter.com:

1. the CreateTweet GraphQL request that fires when you submit a reply. we count that you replied. we do not read or store the reply body.
2. the same CreateTweet request when you submit a top-level tweet. if your reply count is below the threshold, we block the request and surface the lock state. if you've met the threshold, we let it through.

what we don't do with it: we do not read, log, modify, or forward request bodies. we do not touch any other site's network traffic. we do not redirect, intercept, or transform any HTTP traffic outside of the two requests named above.

this permission triggers a human reviewer at chrome web store. we expect that and have written the source code to be auditable. the relevant logic is in src/background/index.ts and is open to security researchers on request.

host access: *://*.x.com/* and *://*.twitter.com/*

what chrome calls it: "read and change all your data on x.com and twitter.com."

what reciproq actually does with it: runs the content script + watches the network requests described above. the script reads the URL to know whether you're on a status page (where blocking the compose button would deadlock replies) versus the home timeline. it writes one CSS data-attribute to the document root (data-reciproq-locked="true|false") so the in-page banner can render.

what we don't do with it: read your DMs. read your timeline content. scrape followers. touch settings. send any data from x.com or twitter.com to our server.

what we don't ask for (on purpose)

• cookies — we don't read your x session cookies.
• tabs — we don't enumerate your other tabs.
• history — we don't read your browsing history.
• identity — no oauth.
• <all_urls> — reciproq operates only on X.

source-code request

if you want to inspect the exact code that uses these permissions before installing, email hello@reciproq.xyz and we'll send you a tarball of the build that produced the version currently on the chrome web store. we'll open-source post-validation.