400 Bad Request - Missing Client ID (or client_secret) when refreshing token

Hey Team,

Every time I try to make a refresh token request, I’m getting either missing client_secret OR client_id. After browsing the whole discuss board I figure that I need to use Client-ID as well as change the old link.

Unfortunately, I’m still getting 400 error.

Any ideas?


client_id is missing.

You are sending Client-ID which is not client_id

It should also be in the body as described by the docs, not the header, which is why you’re getting a bad request response.

Much appreciated. We’re almost there!

Now, I’m getting "The parameter \"grant_type\" was malformed: value must be one of \"authorization_code\", \"password\"" message.

Same settings as above, but moved them to Body and changed Client-ID to client_id.

Looking at your image the only other issue I can see is that you’re using the wrong URL. For refresh tokens you should be using https://id.twitch.tv/oauth2/token

Yeah, so that was the link issue at the end. However, I’m still getting 400 “Missing refresh token” when I don’t have a refresh token. I’m using this OAuth flow: https://dev.twitch.tv/docs/authentication/getting-tokens-oauth/#oauth-client-credentials-flow so I’m not provided with one. Unless I misunderstood, and server-to-server OAuth Token doesn’t have to be refreshed at all?

(Note that app access tokens and ID tokens cannot be refreshed.)

They still expire, but it’s an app access token, you can just get a new one. Client tokens have a refresh token because otherwise you’d have to send the user through the OAuth process all over again, so refresh tokens in that situation lets you refresh the client access token without having to involve the user, a problem app access tokens do not have.

Hmm not sure if I follow 100% (still learning), so let me re-phrase my question:

  1. I have ‘static’ client_id and secret_id assigned to my account. They never change for my app (unless I forget my secret_id and need to create a new one. That’s understandable.

  2. Because I want to increase my request limit from 30 to 120, I decided to get an Authorization Token (Bearer Token). Unfortunately, this token does not have a pre-assigned refresh token which I could use to run this request:

   &refresh_token=<your refresh token> # I don't have this one
   &client_id=<your client ID>
   &client_secret=<your client secret>

Is there a way to refresh my Bearer Token then in a server-to-server API “integration” or should I simply request a new Bearer Token every time my old one expires?

PS: Thank you for your patience and support!

Just request a new one.

Ah ok. I simply misunderstood the concept of Bearer Token vs OAuth tokens which I am not using since it’s server-to-server. Now I get it. Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.