I’m developing an app which enables users to sign in with Twitter via OAuth, where my backend then executes calls to the REST API on the user’s behalf, that is, with each user access token.
After reading the API documentation and forum threads, I’m expecting that each user can consume an endpoint rate limit (user auth) in his own 15 minute window.
However, what is happening is that a user can only make as many request as those remaining available in the app auth limit, and after that limit is reached, all users sending requests to the endpoint get the “Rate limit exceeded” error.
Did I misunderstand and the “user auth” limit only makes sense in a multi app context, or is there a flaw in my authentication/request process?
Below is the flow of user interactions in my application, with the Authorization headers for each request, so hopefully someone can help me make it work as expected. The following header fields will be omitted:
1. When the user performs “Login with Twitter”, a GET request is sent to my backend app which requests a “request token”.
2. When the request token is received client-side, it redirects to the Twitter authentication page adding the request token to the querystring.
3. The Callback URL of my twitter app is a backend route which requests an access token and saves it alongside the
token_secret as cookies.
4. Once an user is logged in, he can make one request to my backend side which will make 15 calls to a REST API endpoint on the user’s behalf, i.e, with the token saved on the request cookie.
Can anyone help me figure out why the “app auth” limit is being consumed instead the “user auth” limit, considering that the token I’m sending is the access token generated for each user?