All OAuth tokens invalid?

Hope everyone is well.

Got on to work on my project a bit more and I’m getting the following in a var_dump

array(3) { ["error"]=> string(12) "Unauthorized" ["status"]=> int(401) ["message"]=> string(19) "Invalid OAuth token" }

That leads me to believe the token for whatever reason became invalid by expiration. (I thought these lasted a few days. Will have to look more into that later)

So I decided to go ahead and get another token so I can continue working on the project and for some reason no matter the token they all appear to be invalid.

Checking validity through alternative means I continue to get the following.

    "error": "Unauthorized",
    "status": 401,
    "message": "Invalid OAuth token"

Any advice on this would be appreciated. I’m fairly confused as everything was working just fine previously and when I refreshed the page today its just not validating anything.

In case it’s needed I’m validating for Helix only at the moment and will splice a little of Kraken5 in as its needed later.

I’m using the following to test before I go messing with any project code.

curl -H 'Client-ID: MY-ID' \
-H 'Authorization: Bearer ANY-TOKEN' \
-X GET ''

Just a quick update. I’ve tried refreshing and revoking the token and I get 404.

Not sure what to make of it at this point as it seems the tokens just aren’t registering upon authorization. :thinking:

Hi @Binary_Accepted, your token didn’t expire suddenly. We are in the middle of a 24-hour test window for the new OAuth requirements announced earlier in the year. Please see the following post.

How are you getting your token? Are you creating it with your client ID or using a service to generate one?

1 Like

Hello @jbulava, I am generating the token with my Client-ID.

For testing purposes until I’ve finished my little project I’m using the following to create a token.

I’ve been using the token successfully up until today which is why I thought it might have just expired or wasn’t working properly as I’ve been unable to use any tokens generated through the method provided.

Thank you for the provided document. I am reviewing it as we speak.

Quick update and additional inquiry.

I’ve setup a messy method for checking my token and it is showing up as invalid.

array(2) { ["status"]=> int(401) ["message"]=> string(20) "invalid access token" }

I’m using the following to get this output. (Just in case I’m messing up somewhere on my end and don’t actually realize it.)

$cl = curl_init('');
curl_setopt($cl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($cl, CURLOPT_TIMEOUT, 30);
curl_setopt($cl, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($cl, CURLOPT_HTTPHEADER, array(
    'Client-ID: MY-Client-ID',
    'Authorization: Bearer My-OAuth-Token'

$data = curl_exec($cl);
$status = json_decode($data, true);


If the Client-ID and OAuth token don’t match I should get the error I’m getting if I understood the documentation and the post provided.

If I don’t provide the Token I’ll get an error saying that it’s missing all together.

I’ve testing this through bash curl, python, and php and they all give me the invalid response.

The token was created with the Client-ID so they should match. Not sure if creating a new app profile would be advised or not but I will await a response from those who know better than I. :slight_smile:

Thanks again.

The validate Endpoint expects “OAuth your token” not “Bearer your token”

My mistake, I was referencing the wrong part of the documentation.

In the new Twitch API:
`curl -H "Authorization: Bearer <access token>"`

In Twitch API v5:
`curl -H "Authorization: OAuth <access token>"`

Though changing from Bearer to OAuth doesn’t seem to change the results any.

Can you show your oAuth token generation code?

I was just using the direct URL to generate the code and acquire the token.
  1. that is step one, redirect the user to twitch
  2. they are returned to you with a ?code
  3. and that code needs to be exchanged for an access token.

It sounds like you are not doing step 3:

3) On your server, get an access token by making this request:

    ?client_id=<your client ID>
    &client_secret=<your client secret>
    &code=<authorization code received above>
    &redirect_uri=<your registered redirect URI>
1 Like

Absolutely right! I completely missed step 3 of the process.

Seeing as my project doesn’t require other users information only my own to be displayed is this step still going to be required and updated periodically?

Meaning that – The token is going to expire eventually and I had initially planned to just renew it manually after expiration. Does this mean that I’m going to need to write something for me to go to in order to renew my details periodically or can I just keep doing it manually through the URLs.

Edit: Seems I’m going to have to do this through code because trying to do it through URL only is just returning a 404.

Yes, but you are provided the refresh token to automate renewal of the token.

And you probably should be using an app access token for this usecase

1 Like

HA! I feel I have been going about this whole project the wrong way from the start. Which is fine because either way it’s a learning experience for me.

So the App Access Token(AAT) should still give me all the access I need to display my information to others that visit my page, correct?

Will that token expire? And if so is the renewal process pretty much the same, in terms or having to visit the page for the new details or can I just create a script and setup a cron to execute it every x days set by the expiration time provided in the response?

So sorry for all the questions. Just trying to save myself a lot of headache in the trial and error process of it all.

I greatly appreciate all the help and information provided.


All tokens expire, app access lasts around 60 days

App access cannot be renewed, you jsut make a new one.

Basically yeah.

1 Like

I have a feeling that statement is going to generate a whole slew of new questions for me. However I will ask those later as this has given me a whole new scope to work with and am very excited to see if I can make it happen captain.

Thanks very much @BarryCarlyon for that information and providing me with the right documentation to review. You my friend are a beast!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.