Applications with direct message read permissions can retrieve information necessary to securely display images included in Direct Messages using the REST API and OAuth 1.0A. Similarly to tweets with media, direct message images are represented as media entities and image variants are available by appending suffixes to the media URL.
Unlike media shared in Tweets, media shared in direct messages requires authorization to view. This authorization can be presented via an authenticated twitter.com session or by signing a request with the user’s access token using OAuth 1.0A.
Note that it’s currently not possible to attach media to direct messages with