I believe you have a conversation going on with a business stakeholder to ensure the correct application is whitelisted now. Please check on that with your team, if you do not receive something, as access should be sorted.
As for the keys, we use OAuth 1.0A for all requests to the Twitter Ads API. You’ll have a Consumer Key and a Consumer Secret and these are associated with your Twitter Client Application (via apps.twitter.com). These are used in conjunction with the user tokens you get for each user you access the API on behalf of.
For each user that authenticates with your application, you will also get a user token and user secret, which will be used in signing your subsequent OAuth 1.0A requests made to the Twitter APIs on that user’s behalf. You’ll need those to access each user’s advertiser account.
For more information on the general Twitter OAuth flow for user-context (all Ads API endpoints), check out Single-user OAuth with Examples.
You will gain access to advertiser accounts via a user access token and it’s secret. The secret for both your application and each user is the equivalent to a password, so keep those secure. They will allow access to whatever accounts they also have permission to see at ads.twitter.com. For a summary of how to gain access to advertiser accounts, check out Obtaining Ads Account Access.
Finally, on stats as a CSV, we don’t return any CSVs like we do in our UI via the API. All of our responses are returned as JSON and you will need to construct a CSV if that’s the end result you’re looking for from the API calls that you make.
Hope this helps.