Chat Bot User Name in DCF

Hi there.

The last few days, I got the DCF working for my C++ game engine. There is still something I just can’t wrap my head around.

bro_a : broadcaster account
bot_a : bot account

I would like to have my bot’s username in the chat, so I follow the process:

  1. Create bot Twitch account: bot_a
  2. Create “Public Client Application” XYZ in bot account
  3. Using XYZ’s client_id for DCF
  4. Request verification_uri for user_code
  5. Browse verification_uri and log in with bro_a
  6. Activate user_code
    7.0 The “Authorize” page says, that application XYZ wants to access your account, displaying bro_a(not bot_a) underneath with all the scopes the bots needs.
    7.1 Followed by pressing the “Authorize” button
  7. My C++ application loops as long as “authorization_pending” is sent while trying to get the user_token
  8. Eventually, authorization went through and my bot logs into the chat.
  9. Log into the chat with NICK bot_a into channel #bro_a.
    Here comes the problem:
  10. The bot is registered as bro_a and not as bot_a!

Some forum threads and the docs talk about the auth token being connected to the user authorizing, so I tried step 5. with not logging in as bro_a but as the bot itself, so essentially authorizing its own client application to access bro_a’s chat. That worked actually, but I do not understand it.

If I look in my connections in the setting with my bro_a account, the bot_a client application is not connected, but the bot can do stuff, like sending announcements or write into the chat with its username… The client application is actually connected in the bot_a account. How can this be?

If I allow the Twitch Developer to access my account I do log in with my account bro_a, right?

Thanks for any advice!

The owner of the application is irrelevant

It’s all about which user authenticates to the client id

So to operate as the bot account then you need to login/connect to the clientID as the bot account.

Wow, that was quick. Thanks.

Sure, but at the moment, my bot is connected/authorized to its own client application but still can act on my chat!

Say I would like to pass the bot to someone else, bro_b, who wants to authorize the bot with all the scopes in order do deploy its features, bro_b would also log in with bro_b’s account and authorize the bot through the verification_uri, right?

Because you linked the clientID to the bot_a account in order to let the clientID act as bot_a

So it wouldn’t show on bro_a unless you do an oAuth loop as bro_a for the client id

The other person would need to be able to login to twitch as the bot account (ie they need the password)

Or they would use their own bot account and attach it to your program

Assuming irc and not eventsub webhooks or conduits then sure

If eventsub websockets then it will work yes

For DCF. It’s either irc or eventsub websockets which only needs auth from the chatting user. And nothing from the broadcaster/channel

Sorry, I still do not get it…

Ok. Lets consider this endpoint:
https://api.twitch.tv/helix/chat/announcements

It requires the broadcaster_id and the moderator_id and the scope moderator:manage:announcements in the user token.

In my case, broadcaster_id is my id, and moderator_id is the bots id.

In my account, I do not have the connection to the bots client application which I used to get the user token with the scopes. And yet, the bot can send to this endpoint successfully.

But technically, if the bot’s client application is not connected in my account, doesn’t that mean, the bot does not have been authorized to do this action?

The end point

https://api.twitch.tv/helix/chat/announcements

Requires a user token from moderator_id with the scope moderator:manage:announcements

The user moderator_id needs to be a moderator of the destination channel broadcaster_id

No authentication from the broadcaster is needed beyond the broadcaster having given the user the rank of moderator on the broadcasters channel.

A user has given the clientIID permission for the clientID to operate on their account.

The clientID can only send an announcment to a channel, if the user in the token is also a moderator of the destination channel.

So if your tried to use this endpoint to send to /twitch you would get the error of the moderator in the token is not a moderator of /twitch

Two tokens are not required, just the token for the user that wants to send an announcement. As the broadcaster already gave the user permission to send announcements by making the user a a moderator.

IE the moderator can send announcements as the moderator is a moderator of the destination cahnnel

So on your channel you have given the bot user the role of moderator.
And the bot user has given permission to the ClientID to act on it’s behalf.

Ok. I just tried the bot on someones channel(I kindly asked before!). And the bot was able to log into that users channel chat and post a PRIVMSG message.

I initially thought the scopes are there for the user to allow the bot, via the authorization page, to act in certain ways, like posting on the user channel chat.

Ok. That changes things. So if I would like to make my bot act on behalf of another user bro_b, bro_b needs to add my bot as a moderator first, otherwise, I can only do simple postings to the chat and reading the chat, depending on what the scopes allows for, right?

No

A user cannot act as another user.

A clientID can act as whatever user is in the token being used.

To send a PRIVMSG over IRC as a user doesn’t require any permissions from the broadcaster. You only need the user token for the user you want to send messages as.

Sending announcements as a user needs the user to be a moderator on the destination channel, but you would still have the announcement be authored by the user in the token you have not another user, like you wrote.

I think you got confused over ownership of the clientID.

The scopes dictate what permissions are on a token.
A token belongs to a user.
The owner of the ClientID jsut doesn’t matter.

When you generate a token for a user, you can only act as the user in the token, not another user.

The bot is just another user.

If foo grants the clientID bar a token then you can do whatever as foo but you can’t do anything as the user that owns the clientID.

Like if you login to my ClientID as your bot on say this code example Twitch Implicit Auth Example that returns a token for your bot that I don’t see.

But if you change the scopes that that tool puts on the token (to say include the announcement sending scope we discussed) then you have a Token that represents your bot, using my clientID, that can send announcements to a channel if your bot is a moderator there.

I can’t now magically start sending stuff to a chat as your bot. And your token can’t start magically sending stuff to any chat as me the owner of the clientID.

Your program might have a token for your bot account and a token for user bro_b

So then your program can use whatever token it needs to do whatever it is you want to do.

So depends here if you mean bot as in the program or bot as in another user. Which I don’t think you do.

So no beign a moderator doesn’t matter here. It was only relevant for for the example of sending announcements.

as to send announcements via the API requires

  • a token from the user that wants to send the announcement
  • that user to also be a moderator on the destination channel.

Since you are doing a game.

You can’t operate how you want to operate as there is no way for this to work:

  • I download your game
  • I open the game
  • I DCF as your bot

As I don’t have your bot’s username and password and 2FA token.

So we’ll take this back to the beginning:

  • You are making a game
  • It is not possible under this flow to send messages to the channel as your bot as there is no way to authenticate the bot to the players computer.

So for a game to read/write to a channel you would have to be read/writing as the broadcaster.

  • I download the game
  • I open the game
  • I login to the game as me as I have my username/password (and not your bots)
  • The game sends to chat as me as thats the only token it’s possible to get.

If you wanted to send to the channel as the bot

  • I download the game
  • I open the game
  • I login to the game as me as I have my username/password

When something needs to be sent to the channel as your bot

  • The game notifies your server of a message to send
  • Your server sends to the channel as your bot as you have the bots token securely held on your server.

And to keep things simple we are ignoring a special case that can allow this but doesn’t apply for your described use case and authentication flow as it doesn’t apply in your security context. (Since said special case will require a server and can’t be done in pure DCF)

@BarryCarlyon Thanks for clarification. I think I have to experiment a bit a have to let it settle a bit. I think I understand.

Since I can see your edit I’ll clarify some parts

Twitch Developer wants to access your account

Twitch Developer is the name of the ClientID.
It is the program behind the clientID that does stuff.

The Developer Console uses the Code Grant flow.
There is no developer user

Everywhere I’ve said “bot” in this post has generally mean the user, not the program.
And I think thats where some confusion might have stemmed from.

The program will operate as the token it has on file.
So when you oAuth you connect a user to the clientID and the resultant token representing a user is what messages sent in a channel will use as a username. The user within the token.

The name of the ClientID and the owner of the ClientID does not matter.

The Twitch Developer account is the owner of the token?

There is no Twitch Developer account in this scenario. Just a client ID called “Twitch Developer”.
The program behind it will hold onto the token and use the token.
The token the program has on file has access to those scopes to do whatever.

Like if you go to Twitch Implicit Auth Example and click the second link, that grants the program, in this case the Javascript on the page, permission to read your (verified) email address from the Twitch API when it calls the Get Users Endpoint. (Until you reload the page and the program is restarted and the token is lost.

You got me there. Well, I edited, because I found that previous post you made to be clarifying afterwards.

Thanks anyway @BarryCarlyon for all the time you put into my problem! It helped me very much to understand it better and getting rid of my previous mindset of the DCF.

The DCF works perfectly for me and I think I can do what I wanted to do with it!