The first way I’d evaluate this is – is the API call being made on behalf of an end user or is it on behalf of the thing you’ve created? If it’s on behalf of the thing you created, and that thing is a website, a service, a cron job, a full-featured application – then app-only auth should be used. A user context should be used when there is a user. An application context should be used when there is not.
There are still times when an application may have a dedicated user account representing itself – a bot is a good example – it’s both a user account and an application. It needs to read a home timeline, or a mentions timeline, and issue tweets on its own behalf. It’s a non-human user.
When an API call is made using a user account, a story is being told through the vehicle of the identified application. That user retrieved this user’s timeline. That user looked up these 1,000 user IDs. That user searched for “North Korea.” If the story you’re telling doesn’t involve a user as an actor or character, then application-only auth should probably be used.
Another use case is as a sidecar pool to draw from when the per-user limits prove mildly inadequate for a timely operation.
In the future, applications may gain additional capabilities in the platform. Application-only auth will be how an application leverages these capabilities.
Some devs will use a mix of both kinds of auth. Many will just use one or the other.
