If you use application-level authorisaion, you should use Oath2 authorisation path
Oath1 authorisation is a bit trickier, your application is authorised to act on behalf of an end user, so the latter has to grant this authority to your application. End user opens auth['auth_url']
url and grants permissions to your app on twitter.com, then he is redirected back to the application, that is where callback is used for. By processing this redirect, a web-based application communicates for access token. Read oauth begguide for more details.
There is a pin-based authoriazation flow in case you can't implement redirect handling. For this, you don't need to provide callback_url
, as user acceptance is handled differently. Your end user however still need somehow communicate to your application his pin code. See twython docs for steps starting from when you know pin implementation details