You are misunderstanding something. You do not need the Access tokens for App Only Auth, that is the whole point of it, since giving away the Access tokens would make it possible for users to access your Account.
As you can see in this diagram the steps for App only auth are the following:
- Use Consumer key and Secret to request Bearer token.
- You use this bearer token to authenticate requests on behalf or your App
The most important thing here is that the Bearer token should be treated as sensitive as passwords, which is explicitly noted in a super-large section on the docs:
Keep in mind that the consumer key & secret, bearer token credentials, and the bearer token itself grant access to make requests on behalf of an application. These values should be considered as sensitive as passwords and must not be shared or distributed to untrusted parties.
Therefore you can’t use them in your JavaScript code, as it would leak them to third parties. Another issue would be that Twitter API responses do not contain the needed CORS Headers, so you would again run into issues there.
While leaking the bearer token would not make it possible to do any ‘serious’ things, it is still not very good to do so, so you should avoid it.
If you need to make requests to the Twitter API using JavaScript, the best option you have is to use a server-side proxy that knows your tokens, instead of putting them in your JavaScript code.
Update: You might ask what is the whole reason for App auth then, it is for the case when your App needs to fetch data from Twitter, but you don’t want or can’t ask a user to authenticate with your App.
