Authenticating users

Authenticating users

Basic definitions

User - A Twitter @user account. All write actions on the Twitter API require the user context. If you are building a bot, then the bot is a user. Customers interacting with the bot are also users. All messages sent on Twitter are between two User entities. For authentication purposes, each user has an Access Token (API key) and Access Token Secret (API secret) associated with it. 

Twitter app - A Twitter app can be created via the Twitter app dashboard page with an approved developer account.
If you have an existing Twitter app, you can view and edit it from the same Twitter app dashboard as long as you are logged into your Twitter account. 

An app is always owned by a single user. The app provides the base context for using the Twitter API, including the consumer and access tokens. 

Why do I need access tokens for user accounts?

All write actions using the Twitter API require access tokens. Reading of private data such as Direct Messages also require access tokens. Access tokens provide the user context and permissions when using the Twitter API.

In order for an app to read and write Direct Messages on behalf of a user, the user must grant permission to the app to do so. When a user grants permission, user tokens generated for that user are provided in API requests. Each subsequent API request for that user will then include these access tokens.

How do I generate the access tokens to read/write direct messages?

First, your app must have the “Read, Write and Access direct messages” permission enabled within the the “Permissions” tab in an app's "Details" section, which you can access via the Twitter app dashboard. 

Once the proper permissions are set, there are two types of scenarios where you will need to generate tokens:

1. User owns the app / Single User - If the user is the owner of the app, they can generate access tokens on the “Keys and Tokens” tab in an app's "Details" section within the Twitter app dashboard. Click the “Create” button in the "Access token & access token secret" section.

2. User does not own the app / Multiple Users - If your app is going to consume Account Activity events on behalf of multiple users, each user must authenticate with your app to grant permission. To achieve this you must have a web app that implements log in with Twitter.

If you have access to the user accounts (e.g. test accounts) then you can use twurl to generate access tokens. The access tokens for each user will be stored in a .twurlrc file. See the docs for twurl on github for details.

Next steps