EventSub: "subscription missing proper authorization"

nesttle · November 19, 2020, 5:12pm

Request:
curl -X POST https://api.twitch.tv/helix/eventsub/subscriptions -H 'Authorization: Bearer <App Access token>' -H 'Client-ID: <My Client-ID from dashboard>' -H 'Content-Type: application/json' -d '{"type": "channel.channel_points_custom_reward_redemption.add", "version":"1", "condition":{"broadcaster_user_id":"<Channel User ID>"}, "transport":{"method":"webhook", "callback":"https://mydomain.com/channelpoints/callback.php?test=test", "secret": "<My Secret Key>"}}'

Response:
{"error":"Forbidden","status":403,"message":"subscription missing proper authorization"}

I’m getting the App access token with:
curl --data "client_id=<My Client ID>&client_secret=<My Client Secret>&grant_type=client_credentials&scope=channel:read:redemptions+channel:moderate" https://id.twitch.tv/oauth2/token

BarryCarlyon · November 19, 2020, 5:16pm

The channel you are trying to subscribe to has not granted your ClientID access to the relevant scopes for channel points

Basically a client_credentials can’t have scopes (or a userID)

You need to generate a user access token with the scopes on. So you can call the API with that token.

Once that has been done, then you can use your app access token to create the subscription.

So

Get permission from the broadcaster to read/write channel points, user access token (with scopes)
Then EventSub to those topics with your App Access Token (no scopes)

So you need two different tokens.

nesttle · November 19, 2020, 5:21pm

Which token should I use to subscribe? user token or app token?
curl -X POST https://api.twitch.tv/helix/eventsub/subscriptions -H 'Authorization: Bearer <App Access token>' -H 'Client-ID: <My Client-ID from dashboard>' -H 'Content-Type: application/json' -d '{"type": "channel.channel_points_custom_reward_redemption.add", "version":"1", "condition":{"broadcaster_user_id":"<Channel User ID>"}, "transport":{"method":"webhook", "callback":"https://mydomain.com/channelpoints/callback.php?test=test", "secret": "<My Secret Key>"}}'

Having to use two tokens as you comment, I get a bit lost as the POST call only accepts one token at a time and I don’t know which one I should use. Thanks for the answer, I will read it more times to see if I clarify myself.

BarryCarlyon · November 19, 2020, 5:21pm

EventSub subscriptions are only created using an App Access Token

You just need to have created a user access token once you don’t even need to store it

EventSub checks if your clientID has had access to the resource you request. So you don’t need any user active access tokens on file (since a user token only lives for four hours anyway)

nesttle · November 19, 2020, 5:22pm

In that case, the Creator / streamer user access token shouldn’t be stored for later use, it just needs to be authorized and that’s it?

BarryCarlyon · November 19, 2020, 5:23pm

Correct.

Unless you need to read/write from Helix.

Helix will need you to use the User Access Token

system · December 19, 2020, 5:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.