400 : Missing client secret - OAuth authorization code flow

Hey, I’m pretty new to API stuff and web development in general and I think I’m a bit lost around that.

I’m trying to make a tool to change my game category, and after reading the documentation I managed to write that down.

I get my “authCode” from the first steps of the OAuth authorization code flow.

var authCode = getUrlQueryStringParamsCode().code;
var params = {
client_id: CLIENT_ID,
client_secret : SECRET,
redirect_uri: REDIRECT_URI,
code : authCode,
grant_type: “authorization_code”,

var url = https://id.twitch.tv/oauth2/token;

var xhr = new XMLHttpRequest();

xhr.setRequestHeader(“Accept”, “application/vnd.twitchtv.v5+json”);
xhr.setRequestHeader(“Client-Id”, CLIENT_ID);
xhr.setRequestHeader(“Content-Type”, “application/json”);

xhr.onreadystatechange = function () {
if (xhr.readyState === 4 && xhr.status === 200) {

data= encodeQueryString(params);


I get a 400 error for “missing client secret” however I think that I already have the client secret in my request parameters.

I also tryed to put the client secret into the headers but it didn’t work neither. Any idea of what I doing wrong ?


This looks like front end code XMLHttpRequest you shouldn’t be doing this sort of call in front end code as you end up leaking your secret.

This header is not needed, it only applies to calling Kraken, oAuth flow is not kraken.

You are trying to do an oAuth flow in the front end that you shouldn’t be doing as you leak your secret to the world.

As to your actual problem, not sure it looks correct, check that data contains what you expect it to contain. Or construct your URL to use query string parameters isntead of .send(data); additionally check that SECRET is actually populate.

Ok thank you !

I’ll do it through the backend then and modify what you told me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.