OAuth with the Twitter APIs
Twitter API Authentication Model
Application-only authentication: OAuth2 (bearer token)
Application-only authentication is a form of authentication where an application makes API requests on its own behalf, without the user context. This method is for developers that just need read-only to access public information.
Example: If a developer is trying to view Tweets or lists that are publically available, then they just have to use application-only authentication.
API calls using app-only authentication are rate limited per API method at the app level. Not all API methods support application-only authentication because some methods require a user context (for example, a Tweet can only be created by a logged-in user, so user context is required for that operation). Not all API methods support application-only authentication because some methods require a user context (for example, a Tweet can only be created by a logged-in user, so user context is required for that operation).
Application-user authentication: OAuth 1a (access token for user context)
The user authentication method of authentication allows an authorized app to act on behalf of the user, as the user.
Example: if a developer wanted to build a feature that would allow a user to post Tweets through their platform using the statuses/update endpoint, the developer would have to use user authentication to get permission from the user to post a Tweet on their behalf.
In other words, a signed request identifies an application’s identity in addition to the identity accompanying granted permissions of the end-user the application is making API calls on behalf of, represented by the user’s access token.
User authentication requires the consumer key and secret from your Twitter app and the access token and access token secret retrieved through the 3-legged-OAuth process with the user that the developer is acting on the behalf of. Not all API methods support application-user authentication.
API methods that support both forms of authentication will contain two rate limits in the documentation, application-only authentication and one that is per user (for application-user authentication, and not to be confused with the first item of this list) and the other. Not all API methods support both types of authentication.