401 error with freshly generated tokens

Following the Authorization code grant flow - I’m sure I’ve got this right, but maybe I’ve missed something:

This is the request:

  • After authorising and redirecting back to my app, I get back a code (for redaction purposes, call it XYZ) (along with the state to check UUID etc etc) - all good. This is where my browser comes back to:

But the code doesn’t work. If I try it again https://api.twitch.tv/helix/users I get a 401

curl -X GET 'https://api.twitch.tv/helix/users' \
-H 'Authorization: Bearer XYZ' \
-H 'Client-Id: REDACTED'

{"error":"Unauthorized","status":401,"message":"Invalid OAuth token"}

and even if i just try this:

curl -X GET 'https://id.twitch.tv/oauth2/validate' \
-H 'Authorization: Bearer XYZ'

{"status":401,"message":"invalid access token"}

What gives? Am I using the wrong token?

You need to exchange the code for a token


Authorization code flow example


Open a terminal window and enter the following cURL POST command (you’ll need cURL installed on your computer). Replace the placeholder strings and the authorization code with your values.


curl -X POST 'https://id.twitch.tv/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id=<your client id goes here>&client_secret=<your client secret goes here>&code=17038swieks1jh1hwcdr36hekyui&grant_type=authorization_code&redirect_uri=http://localhost:3000'

That’ll return you an access token. after code to token exchange is complete

Ah, missed that step somehow. Thanks. What’s the normal life cycle for the token, should I generate one for every transaction or store the token for future use?

asking the user to oAuth each time can be probablatic…
But is done if you are not persisting sessions per sae

Generally speaking yes

but can depend on the use case

Still got an issue here - when I try to get the users link I get:

{"error":"Bad Request","status":400,"message":"The id or login query parameter is required unless the request uses a user access token."}

I’m trying to find out what the login ID is (hence querying users without specifying an ID), so how am I supposed to supply the login ID?

sounds like you tried to do use a client_credentials token instead of a user token, which doesn’t match what you did in the OP of this thead

Check your steps matches this example


But note this example uses implicit auth rather than code flow auth. But the steps are the same, do something to get a user token, then use the user token against the users API

Ah ok, these different flows are confusing :wink:

I’ve sort of made some progress as I was trying to subscribe to chat messages so they call a webhook, which I think needs the kind of token I generated anyway.

But something’s not quite right. If I sign in as a different user and message the chat in my channel, the messages don’t appear. The user is email-verified, there’s nothing in moderation or anything filtering it out as far as I can tell, I can see the user is watching, but no messages come through… and when I click the user it shows the attached. Not sure why I’m having all these issues?!

Screenshot 2023-12-31 at 13.49.20

Well that chat message topic doesn’t exist yet, but chat notifications does

I can help you with that however

Now we are talking about posting messages to chat (like a bot) so theres 2/3 different things going on here…

So lets go back to the beginning, what are you trying to do?

Essentially I’m trying to subscribe to all chat messages, so that every message posted in the channel is forwarded to a webhook.

The sub seemed to work, but when I didn’t get any messages coming through to my endpoint, I wondered whether it was because I don’t receive messages from my own user ID. Hence trying another account - so now I’m thinking if those messages don’t even show in the chat window on my channel, it’s not surprising I’m not getting them via my endpoint.

Thanks for your ongoing help!

The EventSub topic for this doesn’t exist yet.

EventSub Topics available for use can be found here EventSub Subscription Types | Twitch Developers

They are tagged with a version so, general availablity are currently numeric and open betas tagged as beta

But there is no topic for “regular chat messages” just channel.chat.notification which is basically IRC/Chat USERNOTICE as a Topic.

PRIVMSG as a topic is announced but not available.

Ah, so there’s no way to get all messages relayed via a webhook or some other method?

No worries if so… I guess I can embed the chat window - but why are the messages from my ‘other’ user not even appearing my chat window? I’ve even tried removing the requirement for email verification. But not a peep from anything, it still insists that my test user has yet to post anything.

It’s not available on eventsub yet, just announced.

You can currently get Chat via connecting to chat via IRC/IRC over WS - Chat & Chatbots | Twitch Developers

We talking about sending messages via the web/mobile/firstparty client or “as a bot/script” via websocket/IRC/other third party integration?

Do you mean that it’s been announced it will be coming soon, or is announced a feature or comms type?

Currently just not seeing the messages at all - I have ‘stream chat’ opened in two different browsers, so:

Chrome: me (channel owner)
Safari: my other account

If I type in the stream chat in Chrome, I see it in both browsers… if I type in Safari, I only see it in Safari…

Soon, since all the other chat over eventsub types are out except PRIVMSG as a topic. But there is no time line/announce date

Then you have some sort of first party issue outside the realms of what I or this forum can help with

Could it be something I’ve broken with my sub attempts? I’ve just registered a new user on a completely different computer / IP, and nothing from that either. It’s like there’s a permission to stop anyone but the channel owner posting. Very odd.

You might be caught in the mystery black box of spam protection.


You’ve cause a first party issue outside the realms that I/the forums can help with.

Oddly, my Mac crashed shortly after, and since a reboot it’s fine. Some process looking after websockets must have hung or something I guess. Anyway, thanks for all your help Barry!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.