Oauth with the Twitter APIs

Twitter uses OAuth to provide authorized access to its API.


  • Secure - Users are not required to share their account credentials with 3rd party applications, increasing account security.
  • Standard - A wealth of client libraries and example code are compatible with Twitter’s OAuth implementation.

Twitter API Authentication Model

1. User authentication aka user context

The user authentication method of authentication allows an app to act on behalf of the user, as the user.

Example: if a developer wanted to build a feature that would allow a user to post Tweets through their platform using the statuses/update endpoint, the developer would have to use user authentication to get permission from the user to post a tweet on their behalf. 

In other words, a signed request identifies an application’s identity in addition to the identity accompanying granted permissions of the end-user the application is making API calls on behalf of, represented by the user’s access token.

User authentication requires the consumer key and secret from your Twitter app and the access token and access token secret from the user you are trying to act on the behalf of.

2. Application-only authentication aka app only

Application-only authentication is a form of authentication where an application makes API requests on its own behalf, without the user context. This method is for developers that just need to access public information. 

Example: If a developer is trying to view tweets or lists that are publically available, then they just have to use application-only authentication. 

To use this method, you need to use a bearer token. You can generate a bearer token by passing your consumer key and secret through the POST oauth2 / token endpoint. 

API calls are still rate limited per API method, but the pool each method draws from belongs to the entire application at large, rather than from a per-user limit. API methods that support this form of authentication will contain two rate limits in their documentation, one that is per user (for application-user authentication, and not to be confused with the first item of this list) and the other is per app (for this form of application-only authentication). Not all API methods support application-only authentication because some methods require a user context (for example, a Tweet can only be created by a logged-in user, so user context is required for that operation).