How the authentication works on Twitter APIs. Twitter use 3 different methods.
- OAuth 1.0a
- OAuth 2.0 Bearer Token
- Basic Authentication
What is OAuth?
OAuth is an open-standard authorization protocol or framework that describes how unrelated servers and services can safely allow authenticated access to their assets without actually sharing the initial, related, single logon credential.
OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
Many endpoints on the Twitter developer platform use the OAuth 1.0a method to act, or make API requests, on behalf of a Twitter account. For example, if you have a Twitter developer app, you can make API requests on behalf of any Twitter account as long as that user authenticates your app.
Signing a request with keys and tokens: You have to sign each API request by passing several generated keys and tokens in an authorization header. To start, you can generate several keys and tokens in your Twitter developer app’s details page, including the following: oauth_consumer_key, oauth_consumer_secret, oauth_token, oauth_token_secret
Making requests on behalf of users: You can generate a set of access tokens that represents the Twitter account that owns the Twitter developer app from the app’s details page, but if you are wanting to make a request on behalf of a different Twitter account, that account’s owner must grant access to you by signing in to their account as part of the 3-legged OAuth flow. The output of this process is a set of access tokens (oauth_token and oauth_token_secret) that can be used to make a OAuth 1.0a request.
Once you have these keys and tokens, you can either create a signature from scratch.
OAuth 2.0 Bearer Token
OAuth 2.0 Bearer Token is the application-only authentication method for authenticating with the Twitter API. As this method is specific to the application, it does not involve any users. This method is typically for developers that need read-only access to public information.
API calls using app-only authentication are rate limited per API method at the app level.
To use this method, you'll need a bearer token, which you can generate by passing your consumer key and secret through the POST oauth2/token endpoint. If you'd like to revoke a bearer token, you can use the POST oauth2/invalidate_token endpoint.
Many of Twitter's enterprise APIs like PowerTrack API, 30-Day Search API, Usage API require the use of HTTP Basic Authentication.
To make a successful request to an API that requires Basic Authentication, you must pass a valid email address and password combination as an authorization header for each request. The email and password combination are the same ones that you will use to access the enterprise API console, and can be editted from within this console.
When building a request using Basic Authentication, make sure you add the Authentication: Basic HTTP header with encoded credentials over HTTPS.