I have question on “Consumer Key” and “Consumer Secret” fields and Rate Limiting Policy


While I’ve developed several applications , two fields (Consumer key, Consumer secret) were required and two (Access token, Access token secret) WERE NOT REQUIRED on the menu “Home>My Applications>Application>OAuth tool“ on dev.twitter.com. Recently I found two fields (Access token, Access token secret) change to REQUIRED (posted on March 15th).

Our first test with two blank fields was OK, however, after two fields have created by pressing “See OAuth signature for this request”, we have problem using REST API Rate Limiting.

  1. Is it OK those fields (Access token, Access token secret) to be blank?
  • We have another apps using this API. We wonder need to change all other apps according to this changed policy.
  • If previously developed Apps are not affected by changed policy, can we also remove already created values?
  1. When does the policy on Rate Limiting in Ver 1.1 change? (I found “Updated on Fri, 2013-03-15 09:32” on https://dev.twitter.com/docs/rate-limiting/1.1)

Thanks for your support in advance,


Access tokens are always required to make requests on behalf of a user. If you were making calls in API v1 without an access token, you were doing so without a user context – and without an application context. Your requests would have been considered unauthenticated on methods that supported that failover.

API v1.1 requires either user-base auth through access tokens or application-based auth through an OAuth 2 application bearer token.

v1.1’s rate limiting model is in effect now on API v1.1.

I don’t know what you need to do about your apps, but you should definitely review your approach to auth and the API in general and make sure that you didn’t have some kind of misunderstanding.


Thanks answers
Another question :

On this page are described below
( https://dev.twitter.com/docs/api/1.1/get/statuses/user_timeline )
Rate Limited? YES & Requests per rate limit window : 180/user, 300/app

But this page are described below
( https://dev.twitter.com/docs/api/1.1/get/account/verify_credentials )
Rate Limited? YES & Requests per rate limit window : 15/user

It might have been something wrong?
Authentication at a time statuses multiple times?


I’m not sure I understand your question – can you rephrase?

account/verify_credentials can only be used with a user context and OAuth 1.0A. The method is meant to give you some confidence that your tokens are valid for use. You shouldn’t need to make requests to verify this status very often.


I am sorry for the question earlier, if I confuse you.

What I try to do is querying 4 APIs AT ONCE while loading a page : 1) statuses/home_timeline, 2) statuses/user_timeline, 3) statuses/mentions_timeline, 4) direct_messages
To verify access token valid or not, I need to also querying “account/verify_credentials” followed by each API.

However, “account/verify_credentials” has limitation 15 time / 15mins and it’s too small number for me to use while implementing apps.
Only 3 times / 15 min! Isn’t it awkward?

If I do miss anything, please kindly let me know how to use API.

Thanks in advance,



I would only use account/verify_credentials at the beginning of what you perceive to be an “active session” by your end user. If the user chooses to revoke your application’s access on twitter.com during some point of that session, your requests to act on their behalf with their access tokens will begin failing – I would then use account/verify_credentials again to further clarify whether the oauth_token is now revoked.