For the example get request:
https://api.twitter.com/1/statuses/user_timeline.json?include_entities=true&include_rts=true&screen_name=twitterapi&count=2
As documented here:
https://developer.twitter.com/en/docs/tweets/timelines/api-reference/get-statuses-user_timeline.html
I have an oauth user token and user token secret, plus my app credentials...
The docs state that authentication is supported, but how do I include it in the get request for screen names that are not publicly accessible?
If I understand your question right, you want to be able to get the tweets from a third-party user with the OAuth token and secrets belonging to a user on your site. The tweets from the third-party user are not publicly accessible, but your user has access rights to them. Is this right?
Generally if you want to access private ressources on behalf of your user, you have to sign the request with the OAuth token and your application credentials. Then Twitter can check, which user is signed in on your site and if the user gave your site access rights.
That signature is sent within the header of your GET request in a format like this:
Authorization:
OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog",
oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg",
oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1318622958",
oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb",
oauth_version="1.0"
There is also documentation from Twitter on how to calculate the signature.