Authenticating users

Basic definitions

User - A Twitter @user. All write actions on the Twitter API require the context of a user. If you are building a bot, then the bot is a user. Customers interacting with the bot are also users. All messages sent on Twitter are between two user entities.

App - A Twitter app is created on An app is always owned by a single user. The app provides the base context for using the Twitter API.

Why do I need access tokens for user accounts?

All write actions using the Twitter API require access tokens. Reading of private data such as direct messages also require access tokens. Access tokens provide the user context when using the Twitter API.

In order for an app to read and write direct messages on behalf of a user, the user must grant permission to the app to do so. When a user grants permission, user tokens are generated for that user. Each subsequent API request for that user will then include these access tokens.

How do I generate the access tokens to read/write direct messages?

First your app must have the “Read, Write and Access direct messages” permission enabled on the “Permissions” tab on

Once the proper permissions are set, there are two types of scenarios where you will need to generate tokens:

1. User owns the app / Single User - If the user is the owner of the app, you can generate tokens on apps.twitter.comunder the “Keys and Access Tokens” tab. Click the “Create my access tokens” button on the bottom of the page.

2. User does not own the app / Multiple Users - If your app is going to consume Direct Messages on behalf of multiple users, each user must authenticate with your app to grant permission. To achieve this you must have a web app that implements Twitter Sign-in.

If you have access to the user accounts (e.g. test accounts) then you can use twurl. By adding the user account to twurl, access tokens will be generated. The access tokens for each user will be stored in a .twurlrc file. See the docs for twurl on github for details.