Access Token prefixed with # rather than?

Just curious why the querystring parameter for access_token is prefixed with #access_token= rather than a standard ?access_token=

Example URL:

I end up having to take hacky approaches because of this & just generally unsure why this is returned this way?

Twitch responds with https://<your registered redirect URI>#access_token=<an access token> for the Implicit OAuth flow because that is what the industry standard calls for so Twitch (like every other site using OAuth that sticks to the specifications for the Implicit grant type) responds according to that standard and uses #access_token=.

Alternatively, unless your app specifically needs to use the Implicit flow, it may be beneficial to use the Authorization Code Flow as then Twitch’s response will user a ?code= querystring param, which can be POST’ed to Twitch which responds with access/refresh/expiration/scopes etc… in the response body.


To put it another way, becuase you told it to.

You got and asked for

But you expected


How would I have told it to?

My redirect URI is http://localhost:8000/auth/twitch/ not http://localhost:8000/auth/twitch/#

In no way am I directing this behavior intentionally, so what would cause this?

Redirect View:

def twitch_auth_redirect(request):
    twitch_url = '{1}   \

    return redirect(twitch_url)

I’ve had this issue in the past, and just used substring to make it valid. Anything stand out to you?

Disregard, I missed the other message. Looking over docs now.

Edit: I see my error and misunderstanding. I’m adjusting, thanks for the guidance.

For future readers, the issue was that I was inadvertently using Implicit Flow as opposed to Authorization Code Flow because I didn’t append response_type=code to my request.


You got it! :smiley:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.