How to Obtain OAuth Token For Twitch Helix API


  • Share on Google+

In case you’re like me and haven’t ran your little janky/hacky scripts or applications that interact with Twitch’s Helix API (or New Twitch API, not to be confused with their API v5), you may come across this error when attempting to run it now:

{"error":"Unauthorized","status":401,"message":"OAuth token is missing"}

While I really should be trying to keep up to date with the changes to Twitch’s API(s), this gigantic change flew right by my radar. Turns out that back on May 1, 2020, the Helix API requires both the use of a Client ID and an OAuth token. Cool story bro.

In reading their updated documentation regarding this change, we must consider what type of token we need. In my case, I needed a simple App Access Token, or OAuth token, to use along side my Client ID.

I already had my Client ID, but in case you don’t have yours yet, you will need to go to your Twitch Developer Console and Register Your Application. If it’s just a quick, rough script or application you’re making, then you can simply use http://localhost for the OAuth Redirect URLs and then hit create. This should take you to an overview of your application which reveals your client_id. Just below that, you will need to click on the New Secret button under Client Secret in order to obtain your client_secret. Make sure to type out your Client Secret somewhere because once you navigate away from this page, it will disappear. If you ever need it again, you will need to create a new secret via the same method above.

Now that we have our application created, our Client ID and secret, and we know what type of token we need, we take that information and send a request to obtain the OAuth Token. The OAuth client credentials flow tells you the validation endpoint that you need to send the request to. This was changed and is now https://id.twitch.tv/oauth2/validate.

So now how do we do put this all together to send a request and get us that OAuth Token? Why, with curl -d of course. Because… because? Yup. Here is a lovely command that you can pop into your terminal and get your OAuth token. Basically the -d option for curl allows you to send the specified data in a POST request which is what we need to do.

$ curl -d "client_id=XXX&client_secret=XXX&grant_type=client_credentials" https://id.twitch.tv/oauth2/token

If done correctly, you should see confirmation similar to the following:

{"access_token":"XXX","expires_in":4706294,"token_type":"bearer"}

There you have it, your access_token is your OAuth token. And yes you are reading that correctly – app access tokens have an expiration. They appear to be around ~60 days according to the documentation.

One final note if you are using the Helix API, is that you will need to use the header Authorization: Bearer <OAuthToken> now.