If You Use Twitch for Login to Your App, You Must Validate Every Request
this has been discussed already
But for example https://streamlabs.com/, I can log in, then deactivate integration in my twitch channel settings and the session is still valid there so they for sure do not revalidate the tokens.
I’m asking because I check the token on every request to my service, so every page-load of a login-restricted page and this check slows down my page-load performance massively.
So when big services like streamlabs dont even do this, why should I bother?
Am I understanding this wrong? Users authenticate with twitch and a session is created, I dont even need the access token thereafter for any requests.
As you say, the guidance is clear on what they require.
As with any API, you can do something contrary or undocumented, but don’t complain when your stuff breaks later because of it.
Thanks for the reply!
What I wanted to say is that if streamlabs does not revalidate the token on every request to their service, either
a) they are doing something contrary
or
b) they are using the api correctly without revalidating the token every time
so if its a) It would be kinda sad because even the big players dont listen to what is said in the api
if its b) I hoped to know how to use the api without constant validation requests
They are validating the token, each time a user logs in to their service is a ‘request to their service’, and the session expiration is set short enough on most sites that use Twitch for login so the user is forced to log in again (this can even been done seamlessly without user interaction as long as they haven’t revoked the app). They don’t need to validate again each time you load a different page, or some event triggers, that would be impossible.
Yes, this does leave a window where a user a can log in, and then revoke the app access and continue using the app for as long as the session hasn’t expired. But that’s why session expiration is short to minimise that window of time.