OAuth with the Twitter APIs

Twitter uses OAuth 1.0a and OAuth2 to provide authorized access to the API.

 

Twitter API Authentication Model

Application-only authentication: OAuth2 (bearer token) 

Application-only authentication is a form of authentication where an application makes API requests on its own behalf, without the user context. This method is for developers that just need read-only to access public information. 

Example: If a developer is trying to view Tweets or lists that are publically available, then they just have to use application-only authentication. 

To use this method, you need to use a bearer token. You can generate a bearer token by passing your consumer key and secret through the POST oauth2 / token endpoint. 

API calls using app-only authentication are rate limited per API method at the app level.  Not all API methods support application-only authentication because some methods require a user context (for example, a Tweet can only be created by a logged-in user, so user context is required for that operation).  Not all API methods support application-only authentication because some methods require a user context (for example, a Tweet can only be created by a logged-in user, so user context is required for that operation). 

 

Application-user authentication: OAuth 1a (access token for user context) 

The user authentication method of authentication allows an authorized app to act on behalf of the user, as the user.

Example: if a developer wanted to build a feature that would allow a user to post Tweets through their platform using the statuses/update endpoint, the developer would have to use user authentication to get permission from the user to post a Tweet on their behalf. 

In other words, a signed request identifies an application’s identity in addition to the identity accompanying granted permissions of the end-user the application is making API calls on behalf of, represented by the user’s access token.  

User authentication requires the consumer key and secret from your Twitter app and the access token and access token secret retrieved through the 3-legged-OAuth process with the user that the developer is acting on the behalf of.  Not all API methods support application-user authentication.

 

API methods that support both forms of authentication will contain two rate limits in the documentation, application-only authentication and one that is per user (for application-user authentication, and not to be confused with the first item of this list) and the other. Not all API methods support both types of authentication. 

 

Next: