Difference between user and app-only auth?

Question

I've been read the Twitter docs but must be missing something.

User auth and app-only auth have different rate limits and capabilities, but I'm struggling to get a handle on use cases for each.

Is user auth just for "Sign in with Twitter" style apps, and so because you're acting on behalf of the user you can do more?

What is app only auth? I have generated a key manually for an account I have - because I created this manually without a user is that app only?

Very confused! Any help appreciated.

Answer 1

UPDATE Dec, 2020: Twitter recently launched API v2 and rate limits related to user or app auth are better described in twitter official docs.

This means you can access this API function with an app auth or a user auth tokens. In some requests you only can access with user auth token.

App Auth number: Is the highest number of requests your app can do in a 15min window, with 'app auth' token.

User Auth number: Is the highest number of requests your app can do in a 15min window, with 'user auth' token.

You need to know how your library/module is getting auth. Source

Edit: App Auth and User Auth are the two ways API twitter can manage OAuth. You can do with this python example using Twython module:

from twython import Twython

# App Auth
tw_auth = Twython(APP_KEY, APP_SECRET, oauth_version=2)
token = tw_auth.obtain_access_token()
twitter = Twython(APP_KEY, access_token=token)

By other way, if you want to authenticate with User Tokens:

from twython import Twython

# User Auth
tw_auth = Twython(APP_KEY, APP_SECRET)
token = tw_auth.get_authentication_tokens()
twitter = Twython(APP_KEY, APP_SECRET, auth['oauth_token'],
          auth['oauth_token_secret'])

(...this last method is a bit longer, because with the authentication tokens you need to .get_authorized_tokens(prompted_pin) to make a new Twython method call. This is only an example to show you need 4 keys/tokens instead 2)

Now, if you make a request, the counter for your 15min window depends on how you are authenticated:

# Now you are authenticated with *App Auth* or *User Auth*
# Limits will be 450 for AppAuth and 180 for UserAuth in 15min window
results = twitter.search(q='StackOverflow',result_type='recent', count='10')

These differences exists because not all API methods support application-only authentication. Some methods require a user context.

Edit:

I could do with real world scenarios where you would use one over the other?

Of course! look this chart about Twitter rate limits and compare. Sometimes you can't make requests with appAuth-only, for example user related actions. Limits are different for each auth, if you want GET statuses/user_timeline maybe you prefer AppAuth, but if you want GET lists/members maybe you would prefer UserAuth, because it has some advantage with rate limits.