Happy to help clarify…
In our documentation, when we talk about a “user” we’re always talking about an end-user. We’re usually talking about a use with a Twitter account.
We don’t refer to Twitter applications as users. The only exception is when a Twitter application’s access to the API is represented through a user’s connection – for instance, in the Streaming API you can connect via a user account that represents your application.
So to clarify, if an application has 100 users:
For each rate limit we report on v1.1 methods, you can make that many requests per 15 minutes per each of your access tokens but the access token must be used as the agent of the request.
For a method allowing 15 requests per 15 minute window, your application can make 15 * # of access tokens) requests to that endpoint.
Really, it’s the user who makes the requests to those endpoints – your application is just a vehicle for the user to make those requests.
IP addresses are no longer a factor in API v1.1 rate limiting. Your application’s identity and its relationship with each user is the entire basis of the new rate limiting in API v1.1.
In the near future, we’ll have an additional form of authorization that doesn’t require a user context – in this case, your application would make requests to something like the Search API completely of its own accord, with no associated user context.
Hope this helps clarify.