How to request Read and Read+Write permissions on the same app?

carlosgnet · 2022-04-23T22:44:05.708Z

Hey everyone!

My app uses the Twitter API v1.1 and asks for Read+Write permissions.

Many users are uncomfortable with providing Write permissions so I will be launching a new Lite tier of my app which will require Read permissions only (the current tier will keep requesting Read+Write).

The problem I’m facing is that on the Twitter Developer Dashboard there is no way to add a different set of permissions to my app.

I know that I can rename my app to something like MyApp(Read+Write) and create a new MyApp(Read only) but that is not what I’m looking for.

IgorBrigadir · 2022-04-23T23:29:14.173Z

I think creating a separate app is still better and more obvious to users, but, it should be possible to specify read only permissions as part of the request token step: Set x_auth_access_type when calling POST oauth/request_token | Docs | Twitter Developer Platform

Overrides the access level an application requests to a user’s account. Supported values are read or write . This parameter is intended to allow a developer to register a read/write App, but also request read-only access when appropriate.

Alternatively, maybe the new oauth2 approach with scopes may be useful to you later? OAuth 2.0 Authorization Code Flow with PKCE | Docs | Twitter Developer Platform

carlosgnet · 2022-04-24T17:26:30.354Z

Thank you for the info!

If I use x_auth_access_type will requesting new permissions (Read) for a user invalidate the old token (Read+Write) for the same user?

IgorBrigadir · 2022-04-24T22:55:02.893Z

No idea! Haven’t tried it myself but I would expect the old token gets revoked when a new one is created.

abraham · 2022-04-25T14:15:10.056Z

Tokens being overwritten

[…] if the user has authorized the app for write permission and call the authenticate workflow with read only permission, the authorization with write permission remains intact (as expected) […]

There is some evidence that if you have R+W permission and send a user through authorization with R specified, the existing permission levels will remain. That may not stand anymore and it may not stand for R+W+D.

Connexinet · 2022-04-26T03:25:41.100Z

Abraham is correct! The same behavior is still the same after 4 years:)
Read only permission would not invalidate write permissions it will keep them, but make sure to use the authenticate workflow, not authorize workflow.
If the authorize workflow was used, the old token is revoked and a new access token is issued. The same cannot be done for R+W+D => R+W