isBitsEnabled via API

I can’t find an equivalent of window.Twitch.ext.bits.isBitsEnabled in the API, e.g. server-side, outside of the extension. This seems odd as validating purchase receipts is only meaningful if I know whether a receipt was expected in the first place.

Scenario is this. Seems the obvious use-case.

  • Server supplies extension with a list of actions and their SKUs
  • On the user actioning one, server is informed.
  • If bits are enabled, all is straightforward – expect a receipt, validate the receipt on the trusted server with our twitch secret.
  • But if bits aren’t enabled, the server has no knowledge of this, will expect a receipt for a paid action that was taken the free route, and not getting one will fail it. The server cannot trust the extension saying “this was paid but now is free”, as genuinely paid interactions could masquerade as free with some javascript tinkering. Hence looking for isBitsEnabled via API.

Or have I missed something?

There isn’t one.

It’s not possible to get a JWT recipet from a channel that doesn’t have bits enabled.

And if there is javascript tinkering the JWT that is sent won’t validate

Thanks. Good to have that confirmed.

I think where my use-case is different from the intended path is the config is done in desktop app, not the extensions page. In the extensions page you know whether bits are enabled so you know whether skus can be set or not.

(Though perhaps I wasn’t clear – the problem is knowing whether to expect a JWT back or not)

Its up to you then to figure out how you want or not want to support the usage of “free items” in your extension over bits exchanged for items. How you protect that is up to you to determine.

Knowing if bits is enabled or not doesn’t matter since, in theory, you could allow a channel to have free and bits exchanged items at the same time regardless of the setting.

Additionally a Desktop app cannot validate JWT’s or create JWT’s to talk to the config service anyway as you would be leaking your extension client secret.

That is unless your Desktop app connects to a server and the server handles the security and data relay.

In fact I can’t think of a way for a desktop app to recieve bits transaction JWT’s without a relay server. And that server can handle the necassary security.

You could also send the isBitsEnabled flag with your transactionRecipet JWT when you POST it to yoru server after a transactionComplete occurs.

As trn JWT’s only exist if bits are enabled.
But then you just have to figure out how you want to support free items or not.
I guess a you’d store the product list on your server, and the streamer can enable/disable the free item and you cross reference that list

I think we’ve established with no API for isBitsEnabled, it’s impossible by Twitch design if you set the skus outside of the extension config page. Because isBitsEnabled is a dynamic property in the extension, and there is no way to get a trusted answer for it outside the extension. The answer is simply to train the user not to set paid transactions in the desktop app if they’re not going to work in their use of the extension. Probably aided by checking whether the user is affiliate status or not, which is at least part of the ‘isBitsEnabled’ result.

So I’m good, know what to do. Thanks again!

Yep. See original post!

ALl good just wanted to make that note in case other stumble on this post and go “ooooh desktop app” and mistakening shove their secret into it.

I suppose, in theory, if the user is affilate+ you deny them access to the free item(s) and then they have to be bits enabled.

As you can check the user type in the API.