When you change the permissions on an application, any existing user authenticated application keys you have, also need to re-authenticate.
Example. I’m @andypiper. I auth to your app. I click OK. You receive an auth token relating to my account. Your app has read access to my account. Your app can read my timeline and profile and content etc.
You update your app permissions to read and write.
If you try to use the same auth token I granted you previously, you have only READ access to my account. You need to force me to re-authenticate as @andypiper to your app, for me to be presented with the new authentication opt-in screen, and for you to receive my new permissions in an new auth token.
Does that help? I realise I omitted Direct Message permissions, but the model is identical. The permissions are valid only at the time when the token was granted.
