Invalid Authorization Token

I’m trying to get an access token after a user goes to the application authentication page saying they allow my app to use their info etc etc. Then it redirects the oauth request to my server,, where I then want to get an access code using the code returned. However, the code returned is giving me an invalid authorization code. Any idea why?
I’m trying to follow along with the OAuth Authorization Flow as specified by here I am using Postman to make a POST using the printed link to see the response easier.

app.get('/twitch_authorized/', async function(req,res){
    // now we need access token

You followed the documentation for a server to server token.

You need to follow the user token flow:

I linked the wrong thing, I’m pretty sure what you linked is what I actually followed. When I make my post requests etc I am using the params specified by that.

Whats the URL you use to send the user to Twitch?

That looks correct.

The only error I see is in your OP you specify one redirectURI and in your last message, you use a different redirecURI.

So I don’t see any code issues here.

Your op code doesn’t have a res.send() so it’s just gonna hang there.

Is that all the code for that function/route?

Well I send it to a different redirectURI because I want to do something different once I get the access token. Once I get the access token I want to get the person who authenticateds’ username so I can make a webhook to subscribe to the event of them broadcasting, so I want different code to run than in the /twitch_authorized/ route. I’ve got more code but it’s all commented out because I can’t do anything with the invalid token. Could I have just saturated my personal tokens or something so the new ones aren’t valid?

Yeah that must’ve been it or something, after waiting a little bit it went through.


Multiple redirectURI’s is new. But in the token exchange you should use the same redirect_uri.

Steps are

  1. someone comes to your site and hits login
  2. You send some to Twitch, they accept the connection
  • They come back to you with a code, to the specified redirectURI in the outbound redirect/link, in step 2.

  • You use that code with the same ClientID and redirectURI to get an access token, via server to server HTTP Post (not a redirect to the token exchange URL).

  • Then you use the access token as you need to.

Thats it.

Theres no redirect after that, so you attempting to use two redirectURI’s in the flow doesn’t make sense here

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.