Authorization Code Flow


I want a .php file thats only reachable after a twitch login. I used this instruction Github Authentication and it’s working till step 2. now i’ve no idea what to do next…

And if someone know how to, ich want a automatic teamspeak 3 verification which is connected to the twitch account.

Best wishes sOUTHX :smile:

  1. You send people to Twitch.
  2. Twitch sends them back to you with a code in query string
  3. Using the code passed back in 2 you exchange with Twitch to get a access token

but i dont get what i’ve to do now. i got back to the Redirect URI but what to du next? i want a site that’s only visible if your logged in

If the user has been redirected to the Redirect URI, you then see if you have a code, or a error.

If you have a code then you are logged in

jea i got a code, but i want a site thats invisible if your not logged in. you know what i mean?

  1. Send to Twitch
  2. Redirect back from Twitch
  3. Read code
  4. Check code is valid
  5. If valid you are logged in

This dirty script may help:


$client_id = 'YourID';
$client_secret = 'YourSecret';
$redirect_uri = 'http://someplace/';

if ($_GET['code']) {
    $token_url = '';
    $data = array(
        'client_id' => $client_id,
        'client_secret' => $client_secret,
        'grant_type' => 'authorization_code',
        'redirect_uri' => $redirect_uri,
        'code' => $_GET['code']

    $curl = curl_init($token_url);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

    $result = curl_exec($curl);
    $i = curl_getinfo($curl);

    if ($i['http_code'] == 200) {
        $result = json_decode($result, true);

        // get
        $curl = curl_init('');
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($curl, CURLOPT_HTTPHEADER, array(
            'Accept: application/vnd.twitchtv.v3+json',
            'Client-ID: ' . $client_id,
            'Authorization: OAuth ' . $result['access_token']
        $user = curl_exec($curl);
        $i = curl_getinfo($curl);

        if ($i['http_code'] == 200) {
            $user = json_decode($user);

            echo '<p>Thanks ' . $user->display_name . ' <3</p>';

            // THE USER IS LOGGED IN
        } else {
            echo '<p>An error occured, please <a href="/">click here and try again</a></p>';
    } else {
        echo '<p>An error occured, please <a href="/">click here and try again</a></p>';
} else {
    $scopes = array(
        'user_read' => 1,

    $req_scope = '';
    foreach ($scopes as $scope => $allow) {
        if ($allow) {
            $req_scope .= $scope . '+';
    $req_scope = substr($req_scope, 0, -1);

    $auth_url = '';
    $auth_url .= '&client_id=' . $client_id;
    $auth_url .= '&redirect_uri=' . $redirect_uri;
    $auth_url .= '&scope=' . $req_scope;
    $auth_url .= '&force_verify=true';

    echo '<a href="' . $auth_url . '">Please Click this Link to Authenticate with Twitch</a>';

jea and i stuck at step 2, i’ll get redirect to the url but the question is what i’ve to do in the .php file to make it only accessible if your logged in (right now you can always reach it)

so i’f im right i got the same result like mine, but what’s to do that the redirect_uri is just visible if a user is logged in. just like if ur not logged in into twitch. you know.

Everyone goes to “redirect_url” on the “redirect_url” page the user is shown logged out content, they click the link, which then goes to Twitch, they login and authorise the app, and are sent back to the “redirect_url” page with the code.

If there is a code you verify the code and if you get a user packet as in my code, then you are logged in…

It’s a simple if statement…

If $gotUserName then logged in, and thus show logged in content. else show the login button and/or an error message

The redirect_url only comes back if the user has been authenticated with Twitch otherwise you will just be stuck on the Twitch login page.

I got back the the redirect_url and i got the code in the adress bar, but i dont know how to create a page thats only visible if your logged in (or a profile system). i want a system like

  1. Connect with twitch button is working
  2. Login is working and
  3. i get back to the redirect_url

To stop a page from being accessible it needs to be behind some kind of check for example.

  1. Auth with twitch sends redirect_url
  2. Login page/function captures the redirect
  3. Query Twitch API for user details
  4. Create a session that contains said details
  5. Pages check to see if a session is established

That is pretty much it in psuedo code. @BarryCarlyon did cover this further up! Are you using a framework or plain php?

@BarryCarlyon @FluffyMatt Thank you verry much, now i got it! but i’ve still one little question, how to i create a “logout” button?

@sOUTHX for logout just clear out the session in the browser using something like Session::destroy() depends on what/how you code.

Then next time the use tries to go to a secure location it loops to the Auth/Login process if code correctly ofc

@FluffyMatt Thank you man, have a nice day :smile:

No worries mate.

If you need anymore help give me a shout.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.