Reverse authentication for direct messages in iOS?


I have a little trouble understanding how to authorise and give access to users. I have an iOS application where I use the built-in framework to access the authenticated user’s twitter account. However access to private messages require me to use reverse authentication, right ? I have tried to set up some code but eventually failed, so I hope you can help me. I tried to use this lovely sample project by Sean Cook but my project gives me errors according ARC. So in some additional files (NSData+Base64.m for example) he uses autorelease or [self zone] which are not available in iOS6. On his GitHub page it says this is compatible with iOS6, what is wrong ?

All the best,


To access DMs you actually need to go further than reverse auth – which can only get you an access token at the permission level already negotiated with the user. You’ll need to implement the full web-based OAuth flow to explicitly ask a user to allow you to use direct messages.


Thank you Taylor for your quick response. I do not quite understand the differences between reverse authentication, OAuth and the authentication process I currently use with the built in framework in iOS… Can you maybe shed some light on that ?

Best regards,


The built-in framework kind of gives you a “virtual” application identity as communicated to Twitter through iOS, without having to explicitly create an application record on for your app. Apps created and accessed this way can have read-only or read-write access used, but not RW+DM (with direct message reads).

If you register an app on, you can specify a permission level that includes direct message read capabilities, but in order to get a user to grant your application that permission, they need to a screen that makes this clear to them. So to secure that permission, you need to use OAuth 1.0A’s flow, resulting in a web browser view that obtains the user’s explicit permission.

Reverse auth bridges the gap between the virtual application on iOS and the real app you’ve registered on It allows you to transit an access token from the virtual app instance to your “real” app – mostly so you can make use of the access token on a server or other use case.

Ultimately, if you’re going to work with direct messages, you need to use OAuth 1.0A and callback-based redirects to secure that permission.


Ok great. Thank you Taylor. Do you happen to know any sources which will guide me through this process ?

Best wishes,