400 bad request with trying to get user id or follower list

keep getting 400 bad request error when trying to query for user’s follower list.
am using bash to call the api.
able to get token and pass token - just when it does a get for xyz url for follower list - return is 400 bad request or 301 permanently moved.
can some explain to me why im getting the error or maybe help me debug what is happening?

Please provide an example of the call you are making (with the token censored)


Ask for username and password

echo "What’s the username: "
read name

Curl for token

curl -X POST ‘https://id.twitch.tv/oauth2/token?client_id=<client_id>&client_secret=<client_code>&grant_type=client_credentials&scope=user:read:email’ >> token.txt && awk -F ‘"’ ‘{print $4}’ token.txt >> token_only.txt
token=$(cat token_only.txt)

Get User ID

curl -H ‘Accept: application/vnd.twitchtv.v5+json’ -H ‘Client-ID: <client_id>’ -H ‘Authorization: Bearer <client_code>’ -H 'Authorization: OAuth '$token 'https://api.twitch.tv/kraken/user?login=’$name -v

curl -H ‘Accept: application/vnd.twitchtv.v5+json’ -H ‘Client-ID: <client_id>’ -H ‘Authorization: Bearer <client_code>’ -H 'Authorization: OAuth '$token -X GET https://api.twitch.tv/helix/streams?user_login=$name -v

Remove Token for next go

rm token*

im almost positive there is something wrong with the url that im trying to call

curl -H ‘Accept: application/vnd.twitchtv.v5+json’ -H ‘Client-ID: xuvnniaiv7jupqbb4wdfo2rbbhlefv’ -H ‘Authorization: Bearer <client_code>’ -H 'Authorization: OAuth '$token

Should be just

curl -H ‘Client-ID: xuvnniaiv7jupqbb4wdfo2rbbhlefv’ -H ‘Authorization: Bearer <client_code>’

You are sending both Kraken and Helix headers. for all requests. Shouldn’t be a problem but we can clean our your headers to JUST Helix headers

use helix get users

There is no follow request in your code.

So i have looked through all the different references and forms - any way i use it i still get a 400
if i remove the oauth - i get a “missing oauth” error and if i add it back - you can see what i get below.

cleaned up code:

curl -X POST ‘https://id.twitch.tv/oauth2/token?client_id=’$client_id’&client_secret=’$client_secret’&grant_type=client_credentials&scope=user:read:email’ >> token.txt && awk -F ‘"’ ‘{print $4}’ token.txt >> token_only.txt
token=$(cat token_only.txt)

Get User ID

curl -H 'Client-ID: '$client_id -H 'Authorization: Bearer '$client_secret -H 'Authorization: OAuth '$token 'https://api.twitch.tv/helix/users?login=’$name -v

Remove Token for next go

rm token*

this is what the curl is sending as get request to api.twitch.tv:
GET /helix/users?login=$name HTTP/2

and getting this back:

400 Bad Request

400 Bad Request

* Connection #0 to host api.twitch.tv left intact

That would suggest you tried to lookup $name, which is not a valid username (Usernames can’t contain $)

You should of also got a body that desribes the error

"error": "Bad Request",
"status": 400,
"message": "Invalid login names, emails or IDs in request"


i was hiding the user name that it was using - if you want to retry its mine personal username hevvee18
below is the entire output from everything

What’s the username:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 121 100 121 0 0 180 0 --:–:-- --:–:-- --:–:-- 179

  • Trying…
  • Connected to api.twitch.tv ( port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Fastly, Inc.; CN=twitch.map.fastly.net
  • start date: Mar 26 21:41:40 2021 GMT
  • expire date: Mar 27 21:41:40 2022 GMT
  • subjectAltName: host “api.twitch.tv” matched cert’s “*.twitch.tv”
  • issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign CloudSSL CA - SHA256 - G3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x55fe25fe6dc0)

GET /helix/users?login=hevvee18 HTTP/2
Host: api.twitch.tv
user-agent: curl/7.74.0
accept: /
client-id: <client_id>
authorization: Bearer <client_secret>
authorization: OAuth

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
    < HTTP/2 400
    < server: awselb/2.0
    < content-type: text/html
    < date: Sat, 27 Mar 2021 16:10:11 GMT
    < x-served-by: cache-sea4458-SEA, cache-pdk17837-PDK
    < x-cache: MISS, MISS
    < x-cache-hits: 0, 0
    < x-timer: S1616861411.495229,VS0,VS0,VE64
    < strict-transport-security: max-age=300
    < content-length: 122
    <400 Bad Request

    400 Bad Request

<* Connection #0 to host api.twitch.tv left intact

Then I don’t know what wrong

as you wrote

I assumed that was what you actually sent/got back

You are trying to send your client secret as your auth header
And you are still sending a Kraken auth header.
Which is winning.

curl -H 'Client-ID: '$client_id -H 'Authorization: Bearer '$client_secret -H 'Authorization: OAuth '$token 'https://api.twitch.tv/helix/users?login=’$name -v

Should be

curl -H 'Client-ID: '$client_id -H 'Authorization: Bearer '$token 'https://api.twitch.tv/helix/users?login=’$name -v

as per the example call

curl -X GET 'https://api.twitch.tv/helix/users?id=141981764' \
-H 'Authorization: Bearer cfabdegwdoklmawdzdo98xt2fo512y' \
-H 'Client-Id: uo6dggojyb8d6soh92zknwmi5ej1q2'

ok so i get it now - it should be sending the token not the actually client_secret

that fixed ended up being the solution.

thank you sir

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.