.. _authentication:

.. currentmodule:: tweepy

**************
Authentication
**************

This supplements Twitter's `Authentication documentation`_.

.. _Authentication documentation: https://developer.twitter.com/en/docs/authentication/overview

Introduction
============

Tweepy supports the OAuth 1.0a User Context, OAuth 2.0 Bearer Token (App-Only),
and OAuth 2.0 Authorization Code Flow with PKCE (User Context) authentication
methods.

Twitter API v1.1
================

OAuth 2.0 Bearer Token (App-Only)
---------------------------------
The simplest way to generate a bearer token is through your app's Keys and
Tokens tab under the `Twitter Developer Portal Projects & Apps page`_.

.. _Twitter Developer Portal Projects & Apps page: https://developer.twitter.com/en/portal/projects-and-apps

You can then initialize :class:`OAuth2BearerHandler` with the bearer token and
initialize :class:`API` with the :class:`OAuth2BearerHandler` instance::

    import tweepy

    auth = tweepy.OAuth2BearerHandler("Bearer Token here")
    api = tweepy.API(auth)

Alternatively, you can use the API / Consumer key and secret that can be found
on the same page and initialize :class:`OAuth2AppHandler` instead::

    import tweepy

    auth = tweepy.OAuth2AppHandler(
        "API / Consumer Key here", "API / Consumer Secret here"
    )
    api = tweepy.API(auth)

OAuth 1.0a User Context
-----------------------
Similarly, the simplest way to authenticate as your developer account is to
generate an access token and access token secret through your app's Keys and
Tokens tab under the `Twitter Developer Portal Projects & Apps page`_.

You'll also need the app's API / consumer key and secret that can be found on
that page.

You can then initialize :class:`OAuth1UserHandler` with all four credentials
and initialize :class:`API` with the :class:`OAuth1UserHandler` instance::

    import tweepy

    auth = tweepy.OAuth1UserHandler(
       "API / Consumer Key here", "API / Consumer Secret here",
       "Access Token here", "Access Token Secret here"
    )
    api = tweepy.API(auth)

To authenticate as a different user, see :ref:`3-legged OAuth`.

Twitter API v2
==============

Tweepy's interface for Twitter API v2, :class:`Client`, handles OAuth 2.0
Bearer Token (application-only) and OAuth 1.0a User Context authentication for
you.

OAuth 2.0 Bearer Token (App-Only)
---------------------------------
The simplest way to generate a bearer token is through your app's Keys and
Tokens tab under the `Twitter Developer Portal Projects & Apps page`_.

You can then simply pass the bearer token to :class:`Client` when initializing
it::

    import tweepy

    client = tweepy.Client("Bearer Token here")

OAuth 1.0a User Context
-----------------------
Similarly, the simplest way to authenticate as your developer account is to
generate an access token and access token secret through your app's Keys and
Tokens tab under the `Twitter Developer Portal Projects & Apps page`_.

You'll also need the app's API / consumer key and secret that can be found on
that page.

You can then simply pass all four credentials to :class:`Client` when
initializing it::

    import tweepy

    client = tweepy.Client(
        consumer_key="API / Consumer Key here",
        consumer_secret="API / Consumer Secret here",
        access_token="Access Token here",
        access_token_secret="Access Token Secret here"
    )

To authenticate as a different user, see :ref:`3-legged OAuth`.

OAuth 2.0 Authorization Code Flow with PKCE (User Context)
----------------------------------------------------------
You can generate an access token to authenticate as a user using
:class:`OAuth2UserHandler`.

You'll need to turn on OAuth 2.0 under the User authentication settings section
of your app's Settings tab under the
`Twitter Developer Portal Projects & Apps page`_. To do this, you'll need to
provide a Callback / Redirect URI / URL.

Then, you'll need to note the app's Client ID, which you can find through your
app's Keys and Tokens tab under the
`Twitter Developer Portal Projects & Apps page`_. If you're using a
confidential client, you'll also need to generate a Client Secret.

You can then initialize :class:`OAuth2UserHandler` with the scopes you need::

    import tweepy

    oauth2_user_handler = tweepy.OAuth2UserHandler(
        client_id="Client ID here",
        redirect_uri="Callback / Redirect URI / URL here",
        scope=["Scope here", "Scope here"],
        # Client Secret is only necessary if using a confidential client
        client_secret="Client Secret here"
    )

For a list of scopes, see the Scopes section of Twitter's
`OAuth 2.0 Authorization Code Flow with PKCE documentation`_.

.. _OAuth 2.0 Authorization Code Flow with PKCE documentation: https://developer.twitter.com/en/docs/authentication/oauth-2-0/authorization-code

Then, you can get the authorization URL::

    print(oauth2_user_handler.get_authorization_url())

This can be used to have a user authenticate your app. Once they've done so,
they'll be redirected to the Callback / Redirect URI / URL you provided. You'll
need to pass that authorization response URL to fetch the access token::

    access_token = oauth2_user_handler.fetch_token(
        "Authorization Response URL here"
    )

You can then pass the access token to :class:`Client` when initializing it::

    client = tweepy.Client("Access Token here")

3-legged OAuth
==============
This section supplements Twitter's `3-legged OAuth flow documentation`_.

.. _3-legged OAuth flow documentation: https://developer.twitter.com/en/docs/authentication/oauth-1-0a/obtaining-user-access-tokens

To authenticate as a user other than your developer account, you'll need to
obtain their access tokens through the 3-legged OAuth flow.

First, you'll need to turn on OAuth 1.0 under the User authentication settings
section of your app's Settings tab under the
`Twitter Developer Portal Projects & Apps page`_. To do this, you'll need to
provide a Callback / Redirect URI / URL.

Then, you'll need the app's API / consumer key and secret that can be found
through your app's Keys and Tokens tab under the
`Twitter Developer Portal Projects & Apps page`_.

You can then initialize an instance of :class:`OAuth1UserHandler`::

    import tweepy

    oauth1_user_handler = tweepy.OAuth1UserHandler(
        "API / Consumer Key here", "API / Consumer Secret here",
        callback="Callback / Redirect URI / URL here"
    )

Then, you can get the authorization URL::

    print(oauth1_user_handler.get_authorization_url())

To use Log in with Twitter / Sign in with Twitter, you can set the
``signin_with_twitter`` parameter when getting the authorization URL::

    print(oauth1_user_handler.get_authorization_url(signin_with_twitter=True))

This can be used to have a user authenticate your app. Once they've done so,
they'll be redirected to the Callback / Redirect URI / URL you provided, with
``oauth_token`` and ``oauth_verifier`` parameters.

You can then use the verifier to get the access token and secret::

    access_token, access_token_secret = oauth1_user_handler.fetch_token(
        "Verifier (oauth_verifier) here"
    )

If you need to reinitialize :class:`OAuth1UserHandler`, you can set the request
token and secret afterward, before using the verifier to get the access token
and secret::

    request_token = oauth1_user_handler.request_token["oauth_token"]
    request_secret = oauth1_user_handler.request_token["oauth_token_secret"]

    new_oauth1_user_handler = tweepy.OAuth1UserHandler(
        "API / Consumer Key here", "API / Consumer Secret here",
        callback="Callback / Redirect URI / URL here"
    )
    new_oauth1_user_handler.request_token = {
        "oauth_token": "Request Token (oauth_token) here",
        "oauth_token_secret": request_secret
    }
    access_token, access_token_secret = new_oauth1_user_handler.fetch_token(
        "Verifier (oauth_verifier) here"
    )

Otherwise, you can simply use the old instance of :class:`OAuth1UserHandler`.

You can then use this instance of :class:`OAuth1UserHandler` to initialize
:class:`API`::

    api = tweepy.API(oauth1_user_handler)

You can also use the ``access_token`` and ``access_token_secret`` to initialize
a new instance of :class:`OAuth1UserHandler` to initialize :class:`API`::

    auth = tweepy.OAuth1UserHandler(
       "API / Consumer Key here", "API / Consumer Secret here",
       "Access Token here", "Access Token Secret here"
    )
    api = tweepy.API(auth)

For initializing :class:`Client`, you can pass ``access_token`` and
``access_token_secret`` directly::

    client = tweepy.Client(
        consumer_key="API / Consumer Key here",
        consumer_secret="API / Consumer Secret here",
        access_token="Access Token here",
        access_token_secret="Access Token Secret here"
    )

PIN-based OAuth
---------------
This section supplements Twitter's `PIN-based OAuth documentation`_.

.. _PIN-based OAuth documentation: https://developer.twitter.com/en/docs/authentication/oauth-1-0a/pin-based-oauth

The PIN-based OAuth flow can be used by setting the ``callback`` parameter to
``"oob"``::

    import tweepy

    oauth1_user_handler = tweepy.OAuth1UserHandler(
        "API / Consumer Key here", "API / Consumer Secret here",
        callback="oob"
    )

You can then get the authorization URL the same way::

    print(oauth1_user_handler.get_authorization_url())

When the user authenticates with this URL, they'll be provided a PIN. You can
retrieve this PIN from the user to use as the verifier::

    verifier = input("Input PIN: ")
    access_token, access_token_secret = oauth1_user_handler.fetch_token(
        verifier
    )

You can then use the instance of :class:`OAuth1UserHandler` and/or the
``access_token`` and ``access_token_secret``.

Reference
=========

.. autoclass:: OAuth1UserHandler
   :members:
   :member-order: bysource

.. autoclass:: OAuthHandler

.. autoclass:: OAuth2AppHandler

.. autoclass:: AppAuthHandler

.. autoclass:: OAuth2BearerHandler
   :show-inheritance:

.. autoclass:: OAuth2UserHandler
   :members:
   :member-order: bysource
   :show-inheritance:
