The team is reviewing requests for access and we’re not able to provide estimates at this time.
Yes, this should be fine since you’re just looking for Direct Message events, not others.
Yes, the webhook security is based on the receiving app correctly responding to CRC token exchanges.
It may be possible to find your app ID based on consumer key, the team will have to let you know when they get to your application. The app ID is the numerical string in the URL when you’re looking at your app on apps.twitter.com
Yes, sure.
If your app receives a call on its regular callback URL without a crc_token parameter, it will be a Direct Message JSON object. If the call has a crc_token request parameter, your app is expected to reply with a valid CRC response.
That is exactly what webhooks are - effectively, an “onDirectMessage” callback event that your app needs to respond to.
The alternative to this integration would be a non-realtime polling application that periodically calls direct_messages/events/list to check for new messages, and then responding.
