There are three levels of permission available:
- Read only
- Read and write
- Read, write and access Direct Messages
An additional permission exists to request visibility of a user’s email address - this can be combined with any of the three levels listed above.
If a permission level is changed, any user tokens already issued to that Twitter app must be discarded and users must re-authorize the App in order for the token to inherit the updated permissions.
A good practice is to request only the minimum level of access to a user’s account data that an application or service requires.
This permission level permits read access to Twitter resources, including (for example) a user’s Tweets, home timeline, and profile information. It does not allow access to read a user’s Direct Messages, and it does not allow to update any element or object.
Read and write
This permission level permits read and write access to Twitter resources. In addition to allowing read access, it also allow to post Tweets, follow users, or update elements of a user’s profile information. It also allow to hide replies on behalf of the authenticating user. This permission level does not allow any access to Direct Messages (including read, write, or delete).
Read, write and access Direct Messages
This permission level includes access to all of the above and adds the ability to read, write and delete Direct Messages on behalf of a user.
- POST direct_messages/events/new
- GET direct_messages/events/show
- GET direct_messages/events/list
- DELETE direct_messages/events/destroy
Additional: Request email address
All authenticated API requests return an
x-access-level header in the HTTP response. The value of the header shows the current permission level of either the Access Token or Bearer Token in use. Possible values are read, read-write, and read-write-directmessages.