[JavaScript] Trouble banning users through API

I’m having trouble sending an API request to ban users. Everything sent to the function is correct, but I still get this error:

This is the code used:

function banUser(oauthToken, clientId, channel, mod, usr) {
  var apiEndpoint = `https://api.twitch.tv/helix/moderation/bans?broadcaster_id=261997717&moderator_id=${mod}`

  // Set up the headers for the POST request
  var headers = {
    'Client-ID': clientId,
    'Authorization': 'Bearer ' + oauthToken,

  // Set up the data for the POST request
  var postData = {
    'data': {
      'user_id': usr,
      'reason': 'test'

  // Set up the options for the POST request
  var options2 = {
    'method': 'post',
    'headers': headers,
    'contentType': 'application/x-www-form-urlencoded',
    'payload': postData

  // Make the POST request to the Twitch API
  var response = UrlFetchApp.fetch(apiEndpoint, options2);

  // Parse the JSON response
  var responseData = JSON.parse(response.getContentText());

  return responseData

Everything seems to be correct as shown on the API docs.

The documentation for this endpoint recommends using a JSON body.
You tried to send a FORM body

  // Set up the data for the POST request
  var postData = JSON.stringify({
    'data': {
      'user_id': usr,
      'reason': 'test'

  // Set up the options for the POST request
  var options2 = {
    'method': 'post',
    'headers': headers,
    'contentType': 'application/json',
    'payload': postData

may suffice

I have updated the code to that, and it fixed that error, but now there’s a new error.

The moderator_id is my user id which should be the same in the OAuth token.

The error indicates this is not the case.

You either:

  • Generated and are using an app access token
  • The user in the oAuth token is not for the moderator_id in the request.

A tool such as https://barrycarlyon.github.io/twitch_misc/examples/token_checker/ will invoke the validate and user endpoints to declare if the token is of the right type, has the right scopes and if for the expected user.

For example:

I checked the token using the tool, and it does say it is a App Access token, how might I obtain and use the correct token?

Usuall the code flow is most appropriate here

I tried to switch the oauth function to use the API request in that docs page, but got stuck on this error.

This is the code:

function getTwitchOAuthToken(id, secret) {
  var url = `https://id.twitch.tv/oauth2/authorize?client_id=${id}&redirect_uri=http://localhost&response_type=code&scope==channel%3Amanage%3Apolls+channel%3Aread%3Apolls`;

  // Set the options for the HTTP request
  var options = {
    method: 'post',
    contentType: 'application/x-www-form-urlencoded',

  // Make the HTTP POST request
  var response = UrlFetchApp.fetch(url, options);
  var data = JSON.parse(response.getContentText());

  return data;

The first step of oAuth is to redirect the user you wish to authenticat to Twitch is their browser to accept (or decline) the access between your clientID and your Twitch accoun.

HEre you are fetching instead of sending the user to Twitch

This might not be able to work with what I’m coding. The code is for a Discord bot moderation command, so I can ban users from my Twitch streams straight from my Discord server. Would there be other ways to do this?

The only way to get a user oAuth token is to bounce the user you need a token for through an oAuth flow which requires a web browser. (as per the oAuth standard)

This only needs to be done once, or if the access/refresh token dies.

There is no way around the web browser step regardless of which user flow is used.

All three flows require a web browser to see whom the user is that needs to create a link and accept/decline the access link between your ClientID and the user needing to provide the token.

  • Implict auth, we’ll discount sicne every 60 days, bang need a new token manually
  • Code flow, generate a URL, send the user to the URL capture and exchange the code for access and refresh
  • DCF, generate a URL with a code, send the user to the URL, your program fetchs the resultant token/refresh after a user hits OK in the web browser

With how my Discord bot runs, it won’t be able to do this. From what I can see, there are no other ways to ban users from external sources, so I’ll just have to scrap this idea until something new comes up that makes this possible.

if it helps I use something like this for my chat bots:

To get a token onto a headless server.

I run the script via SSH which gives me the URL to open in a web browser, then copy the ?code= back into the script which does the code to token exchange and away it goes.

I looked into this, and sadly how my bot runs its code, this wouldn’t be possible.

Ignoring how Discord does stuff this is the industry standard way to get permission to do things on behalf of a user (oAuth) so you’ll have issues if you cannot make this work if you intend to integrate with other services.

Discord gives you a forever token to let your bot connect to Discord services which is unlike other services generally speaking.

So here for any service you just need to get to you bot/script a token/refresh to use initially and away it goes. (That token/refresh could be stored anywhere, not just redis as per my example)

So basically I’m not sure how it’s not possible, since to ban a user on Twitch you need a token from the user doing the banning and getting a token able to do that over to a script is straight forward