Invalid Client Secret after regeneration – OAuth / EventSub Channel Points

API
1

Hello Twitch Developer Support,

I’m experiencing a persistent issue with OAuth authentication and EventSub subscriptions, even after regenerating my Client Secret.

Context:

  • I am using a Twitch Developer Application (OAuth 2.0)

  • I am implementing EventSub (WebSocket) for
    channel.channel_points_custom_reward_redemption.add

  • I am using a User Access Token (not client credentials) with the following scopes:

    • channel:read:redemptions

    • channel:manage:redemptions

    • chat:read

    • chat:edit

Problem:
After regenerating the Client Secret in the Twitch Developer Console and generating a new User Access Token with the correct scopes, I still encounter the following errors:

  1. When validating or exchanging credentials:HTTP 403 Forbidden
    message: “invalid client secret”

  2. When subscribing to EventSub:This token does not have any of the requested scopes
    (channel:read:redemptions, channel:manage:redemptions)

  3. This happens even though:

    • The scopes are correctly selected during authorization

    • The token is freshly generated

    • The token works for chat and other user-level API calls

    • The broadcaster ID and login are correct

    • The application was restarted after regeneration

    Additional notes:

    • This setup previously worked with the same logic

    • The issue started after regenerating the Client Secret

    • It appears as if the regenerated secret is not being accepted or properly propagated

    • Client Credentials flow is NOT being used for EventSub (only User Access Token)

    Question:
    Is there a known issue where a regenerated Client Secret may remain invalid, cached, or desynchronized?
    Is there an additional step required after regenerating a Client Secret to make it fully active for OAuth and EventSub?

    I’m happy to provide:

    • App Client ID

    • App name

    • Timestamps of regeneration

    • Request IDs / logs if needed

    Thank you for your help.

    Best regards, Mario

2

First of all this is chatGPT (or similar), as a result you got stuck in the spam filters. It’s also hallucinated a lot of extra information.

Then the client secret is wrong.

You either copy/pasted it from the Dev Console wrong. Or your call to generate a token is wrong.

Or given the use of AI to generate this post, the AI code you generated is wrong

This should be flat failing if you are getting an invalid secret. Not “scopes are wrong” which suggest you some how got a token and are using that.

No. It’s instant (has to be for if a secret is leaked you need to be able to instant kill said secret)

No

Not needed at this time.

So, we need to see the code you are using to generate/complete the token exchange, assuming you are using code flow oAuth and not implict auth, since implict doesn’t need a secret at all

How if the token has no scopes. Since you only seem to be asking for, to quote you:

This token does not have any of the requested scopes

so chat API calls will not work. So this doesn’t seem correct. The AI is hallucinating once more it seems?

This entire section contracdicts itself

In 1. you say you failed to get a token

In 2. you say you got a token but it is missing scopes

In 3. you say that chat related calls still work, but in 1 you didn’t get a token and in 2 it’s missing scopes?

I’m confused whats going on here, since it seems you are holding onto a broken token when the generate a new token trips up? So theres some cross talk going on. Perhaps the code is holding onto the previius secret like it is a previous token?

For reference these are “legacy” of sort IRC scopes, for consistency you probably want to migrate to eventsub so both chat and redeems come over eventsub instead of running two sockets (one for chat one for redeems)