[Helix] Get User Active Extensions Resolved User ID Bug


When requesting a user’s active extensions using only a Client-ID, I get unexpected results when I request extensions with an invalid user-id. Somehow, the API is able to resolve just the user only based on the Client-ID when it detects the invalid user-id specified in the query parameter.


The first test is exactly what is described in the issue.

Valid Client ID, invalid explicit User ID

However, when I only specify a Client-ID, I get 400 - Bad Request. Exactly what I expected because there was no specified user-id and no bearer token to implicitly specify the user.

Valid Client ID, no User ID

What’s even weirder is when I make the request using the Client-ID that is associated with my bot account and specify an invalid user-id, not only do I get 200 - OK, I actually get extension data! My bot account has no extensions installed! And not only that, but the extension data returned is for my actual account, which was not included in the request in any way.

Valid Client ID (Bot), invalid explicit User ID

I have no idea what is causing this and it’s driving me nuts.

Shouldn’t you be requesting with a oAuth? And the oAuth overrides the clientID (the end point is scoped) goes to check the docs


Requires the scope: user:read:broadcast

As does

Optional scope: user:read:broadcast or user:edit:broadcast

Wonder why it’s optional…

So yeah, seems you can do it without and oAuth with a ClientID and specify a UserID…

Your OP seems weird, do mean a Valid ClientID or Valid oAuth (bearer since helix)?

All of the requests above were made with a Client-ID, no OAuth (Bearer) token.

Your Parameters[2] is truncated in your screenshots. Just for clarity sure you don’t have a oAuth hidden in there?

Also you are trying to pass {user_id} as a Parameters[1] is that you sending in the body or as a Query String (GET) parameter?

I’m unfamiliar with RestSharp. I’m not sure in your “Parameters” in the screenshots whats a header, whats passed BODY and whats Query String?

My tests:

  • No Client ID

{“error”:“Unauthorized”,“status”:401,“message”:“Must provide a valid Client-ID or OAuth token”}

  • ClientID only

{“error”:“Bad Request”,“status”:400,“message”:“No User ID Specified.”}

  • No ClientID, with user_id

{“error”:“Unauthorized”,“status”:401,“message”:“Must provide a valid Client-ID or OAuth token”}

  • With ClientID, with user_id

Extension data (resp omitted)

  • No ClientID, With oAuth (for the user_id), no user_id

Extension data (resp omitted)

  • No ClientID, With oAuth, no user_id

Extension data of oAuth’ed user (resp omitted)

  • No ClientID, With oAuth, different (valid) user_id

Extension data for user_id (resp omitted)

I think you have a oAuth in there somewhere, I cannot replicate Valid Client ID, no User ID except for whats noted below:

If I send (an oAuth or a clientID) and an invalid user_id, I get “blank” extension data, ie: it lists all six slots with nothing active.


Basically with a invalid UserID you get a “blank” payload, rather than a “user_id” is not a user_id or user_id not found etc.

I don’t see any “active” extensions in the truncated payload response in the screenshot for “Valid Client ID (Bot), invalid explicit User ID”, just two “empty” slots //truncate

Basically, you are requesting extensions for “INVALID USER”. The user (ignoring them being invalid) doesn’t have any extensions active, so the response is all six slots being active: false

API Response: 200 OK, User has no active extensions.

Rather than: 404 Not Found, User does not exist

1 Like

You know what, that’s exactly what it was. I was so thrown off by the 200 - OK I was getting that getting back a “blank” response didn’t even cross my mind. It makes perfect sense now.

Although, I still think there should be some 4XX error code. Sending back a 200 - OK and a blank response just seems like a false positive, because that legitimately could be a real result if a user actually has no active extensions.

user_id sadjfhadjksfhkjasdhf doesn’t have any :stuck_out_tongue:

But I do see your point.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.