Application authentication

Application authentication is a form of authentication where the application makes API requests on its own behalf, without a user context. API calls are often rate limited per API method, but the pool each method draws from belongs to your entire application at large, rather than from a per-user limit.

For the purposes of social media analysis, we will use in most cases application authentication by creating an application on each social media platform that will query the related API.

There are several steps that are required to put in place a client with OAuth authorization:

1. Creating a user/developer account: First of all, you have to register a user/developer account and provide personal information such as a valid email address, name, surname, country, and in many cases a valid telephone number (the verification process is done by sending you a text message with a code).
2. Creating an application: Once you create your account, you will have access to a dashboard, which is very often called a developer console. It provides all the functionalities to manage your developer account, create and delete applications, or monitor your quota. In order to obtain access credentials you will have to create your first application via this interface.
3. Obtaining access tokens: Then, you generate access tokens for your application and save them in a safe place. They will be used in your code to create an OAuth connection to the API.
4. Authorizing HTTP requests (optional): Some APIs require HTTP request authorization, which means that a request has to contain an additional authorization header that provides the server with information about the identity of the application and permission scope.
5. Setting up permission scopes (optional): Some APIs have the notion of multilevel permissions. In that case when you generate your API key you need to specify the scope for the key. Scope here refers to a set of allowed actions. Therefore, in cases where an application attempts an action that is out of its scope, it will be refused. This is designed as an additional security layer. Ideally one should use multiple API keys, each with restricted scopes, so that in the scenario where your API key is hijacked, due to the restrictions in its scope the level of potential harm is restricted.
6. Connecting to the API using obtained access tokens: When all the preceding steps are configured, you can make requests using your access tokens. Now, the only limitation is the request quota, which depends on each platform.