verify_credentails with only consumer tokens is returning an unexpected user!


Calling verify_credentails only providing consumer tokens, without a access token or secret is returning a user that I can’t explain (but that I know of).

The twitter application whos consumer token and secret are being used is owned by user1
I am user2, a developer working on the software that is integrating with twitter.

when I make a request to /account/verify_credentials.json with authentication build from consumer_key and consumer_secret only, I might expect to get back user1’s user object (as he owns that application) if anything. However, I am getting back user2 user object…

Can anyone explain how this could happen? I’m very confused…