"User auth" always consumes the "App auth" request limit



I’m developing an app which enables users to sign in with Twitter via OAuth, where my backend then executes calls to the REST API on the user’s behalf, that is, with each user access token.

After reading the API documentation and forum threads, I’m expecting that each user can consume an endpoint rate limit (user auth) in his own 15 minute window.

However, what is happening is that a user can only make as many request as those remaining available in the app auth limit, and after that limit is reached, all users sending requests to the endpoint get the “Rate limit exceeded” error.

Did I misunderstand and the “user auth” limit only makes sense in a multi app context, or is there a flaw in my authentication/request process?

Below is the flow of user interactions in my application, with the Authorization headers for each request, so hopefully someone can help me make it work as expected. The following header fields will be omitted: oauth_nonce, oauth_signature, oauth_signature_method, oauth_timestamp and oauth_version (1.0).

1. When the user performs “Login with Twitter”, a GET request is sent to my backend app which requests a “request token”.

POST api.twitter.com/oauth/request_token

  • consumer_key
  • consumer_secret
  • callback

2. When the request token is received client-side, it redirects to the Twitter authentication page adding the request token to the querystring.

GET api.twitter.com/oauth/authenticate?token=<request_token>

3. The Callback URL of my twitter app is a backend route which requests an access token and saves it alongside the token_secret as cookies.

POST https://api.twitter.com/oauth/access_token

  • consumer_key
  • consumer_secret
  • token (request)
  • token_secret (request)
  • verifier

4. Once an user is logged in, he can make one request to my backend side which will make 15 calls to a REST API endpoint on the user’s behalf, i.e, with the token saved on the request cookie.

GET api.twitter.com/1.1/friends/list.json?screen_name=<some_user>

  • consumer_key
  • consumer_secret
  • token (access)
  • token_secret (access)

Can anyone help me figure out why the “app auth” limit is being consumed instead the “user auth” limit, considering that the token I’m sending is the access token generated for each user?



If you call GET account/verify_credentials whose info do you get back?


Thanks @abraham for the reply.

I was getting “Your credentials do not allow access to this resource”, so I inspected my headers and found out what was wrong.

So fixed! Thanks a bunch :smile: