Getting 400 error when trying to refresh a token (client secret missing)


I am successfully running a game which connects to Twitch.
Currently I did noit need a valid access token all the time but this is changing now so I probably need to refresh the token during the session.

I am running a nodejs based backend which I am using for handling the authentication stuff (as secrets in delivered assemblies are nerver secret…)

My code:'', {
				'grant_type': "refresh_token",
				'refresh_token': encodeURIComponent("RefreshTokenDeliveredFromGamesCallLandsHere"),
				'client_id': "mYcLiEnTiD",
				'client_secret': "sEcReThErE"
				headers: {
					'Client-ID': "mYcLiEnTiD"
				responseType: 'json'
			.then((res) => {
				if (res.statusCode == 200) {
					if (debug) console.log('[' + (new Date()).toISOString() + '] Refresh successful');
			.catch((error) => {
				if (debug) console.log('[' + (new Date()).toISOString() + '] ' + error + ': ' + JSON.stringify(;

I get the following result:
Error: Request failed with status code 400: {“status”:400,“message”:“missing client secret”}

Can you lead me to what I’ve done wrong?

You don’t need a the headers

I wonder if sending headers and HTTP post body has confused the API and it’s ignored your POST body because of the header

The API call to refresh is just

    &refresh_token=<your refresh token>
    &client_id=<your client ID>
    &client_secret=<your client secret>

No headers needed, so remove that

Thanks for your reply @BarryCarlyon!
Unfortunately omitting the header makes things worse: {“status”:400,“message”:“missing client id”}

The axios post is posting using the wrong form type.

The documentation specifies data-urlencode, and you/axios are probably sending “multipart/form-data” (instead of “application/x-www-form-urlencoded”) in error causing the problem

So try'' + encodeURIComponent("RefreshTokenDeliveredFromGamesCallLandsHere") + '&client_id=mYcLiEnTiD&client_secret=sEcReThErE', {},


Thanks for the headsup @BarryCarlyon! That was the reason.

A cleaner - and WORKING - approach:

var params = new URLSearchParams();
params.append('grant_type', 'refresh_token');
params.append('refresh_token', encodeURIComponent("RefreshTokenDeliveredFromGamesCallLandsHere")); //I am not finally sure if the encode is still required here but it works with it.
params.append('client_id', "mYcLiEnTiD");
params.append('client_secret', "sEcReThErE");'', params, { responseType: 'json' }).then([...]
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.