OAuth 2.0

Bearer Token (also known as app-only)

OAuth 2.0 Bearer Token authenticates requests on behalf of your developer App. As this method is specific to the App, it does not involve any users. This method is typically for developers that need read-only access to public information. 

This authentication method requires for you to pass a Bearer Token with your request, which you can generate within the Keys and tokens section of your developer Apps. Here is an example of what a request looks like with a fake Bearer Token:

API calls using app-only authentication are rate limited per endpoint at the App level.

To use this method, you'll need a Bearer Token, which you can generate by passing your API Key and Secret through the POST oauth2/token endpoint, or by generating it in the "keys and token" section of your App settings in the developer portal.

If you'd like to revoke a Bearer Token, you can use the POST oauth2/invalidate_token endpoint, or click where it says "revoke" next to the Bearer Token in the "keys and tokens" section of your App settings.

OAuth 2.0 Authorization Code Flow with PKCE

OAuth 2.0 Authorization Code Flow with PKCE allows you to authenticate on behalf of another user with have more control over an application’s scopes and improves authorization flows across multiple devices. In other words, developers building applications for people on Twitter will have more control over the information their App requests from its users, so that you only have to ask your end-users for the data and information you need.

This modern authorization protocol will allow you to present your end-users with a more streamlined consent flow for authorizing your app, which only displays the specific scopes you have requested from them. Not only does this reduce your data burden, but it may also lead to increased trust from end-users.

Next steps

• App only authentication
• App only Access Tokens
• OAuth 2.0 User Context
• Making requests on behalf of others using OAuth 2.0