Extension Fails to update after 1 hour

I’ve been testing my extension with the EBS running in azure. And when you first start up the extension it loads in fine and things are visible, it is able to reach out to the EBS and download any changes to the data displayed. After about an hour something happens and the JWT being sent by the extension is no longer seen as valid by the EBS. This continues until the page is refreshed and the extension reenabled.

So based on the timing I’m assuming there is (likely? not entirely sure) a token refresh, or something and the EBS no longer recognizes the provided JWT as being valid.

So either I’m not supposed to be using the JWT for every request, or I’m doing something else wrong. Obviously the code works since we have no issues for 1 hour. So I must be missing something fundamental in how the onAuthorized or JWT generation works from the twitch side. I was under the impression that onAuthorized should fire every time there is a token refresh.

But even if the token doesn’t refresh, wouldn’t the previous token still be legit to the EBS since we are still testing it against our shared key? I feel like I’m missing a piece that is not letting this issue click for me.

Any Ideas?

Correct JWT’s are only valid for around and hour

Then the extension will have onAuthorised called again and a new token issued.

I always use window.Twitch.ext.viewer.sessionToken to obtain the current token when making requests to my EBS.

So you can either use window.Twitch.ext.viewer.sessionToken on extract the new token when onAuthorised is called again as onAuthorised will be called about once per hour that the page is kept open if not quicker, in order to issue the new token.

The token will validate but be rejected, so you could set your library to ignore expiration as a criteria for rejection but obviously this is not recommened for production use cases.

TLDR: onAuthorised is called

  • when the page loads
  • every hour ish after the page loads
  • when a user shares their ID
  • when a user revokes access to their ID

At each calling of onAuthorised a new helixToken and sessionToken are issued and the super globals window.Twitch.ext.viewer.helixToken/window.Twitch.ext.viewer.sessionToken revised with the new tokens.

The optimal use case is

To use the super global rather than your own variable for communication with your EBS. Then when the value is updated by the helper you don’t need any code to do anything as it’s in the super global

That is what I was missing. My onAuthorized basically took auth.token and saved it into its own (global) variable. I was unaware of the .viewer.sessionToken, and that should do it for me. I searched the docs multiple times. Is there another place where this stuff is documented?

Which means that when onAuthorized is called again your own global variable should of been updated?

So the question: Is why on a second/follow up call to onAuthorized did your own global not update? Which would of prevented this post since your follow up onAuth should of updated…

The globals (and other functions) are listed here:

Yes that is what I had thought would happen, but in my use case it isn’t

twitch.onAuthorized((auth) =>{
    token = auth.token;
    userID = auth.userID;
    current_config = twitch.configuration.broadcaster.content;
    //builds our buttons and frames

And my fetch uses token as part of its call.

But for whatever reason everything starts failing after an hour. I’m going to go ahead and use the global variable to see if the behavior changes.

You might have a uncaught javascript error somewhere, since you are calling the config service, which crashes a bunch of things.

You don’t handle twitch.configuration.broadcaster being null for example

Since you probably want to populate/fetch broadcaster content inside the config onChanged event instead

Understood, and that is how it is set up in config.

How else would I pull the configuration as that is sent in the POST to the EBS.

And I’m not seeing any exceptions thrown in the browser from twitch or the extension.

Your EBS can fetch the config service data from the API - Reference | Twitch Developers

So you don’t need to fetch it to send it via POST. And prevent user/viewer manipulation.

bad/paraprhased code.
I wait for the two independant calls to be ready.
This is naturally incomplete code with a lot of validation missing and I usually doesn’t use an array for my ready score. Just quickest demo

let isReady = [false,false];
onAuth(() => {
    isReady[0] = true;
onChanged(() => {
    isReady[1] = true;
function ready() {
    if (!isReady[0] || !isReady[1]) {

Gotcha, I don’t really need that much security to be honest. The information is just for the datapull from the database and that data is in no way sensitive. But in the interest of learning I perhaps should.

Just to add, yeah looks like the sessionToken did the trick. been running for several hours now and we no longer suddenly have “bad” JWTs being sent from the extension

I’m also facing same problem. But I don’t know why it is happening.

assuming you are appling the notes above.

And your code is using the up to date JWT to call you EBS with from the front end using the super global window.Twitch.ext.viewer.sessionToken

Then the likely case is that someones browser client is misbehaving beyond your control or a bad actor is trying to bad act.

Otherwise please start a seperate thread with your issue than jumping on someone elses solved provlem.