Thanks!

The app lets users send tweets or DMs and I didn’t find an obvious way to narrow the required permissions down to just that. But a few people have now pointed this issue out and I think I will just remove that functionality and require only read permissions.

You can also send users back through the oauth flow to up their permissions the first time they try to use the feature.

Thanks for the tip. If I end up keeping that feature, that seems to be a smart way to go about it. Due to time constraints, I was trying to keep it simple. Perhaps too simple.