Heya folks 
I managed to get OAuth working and I’ve now got
$code = $_GET[code];
$state = $_GET[state];
and
$accesstoken = $_GET[“access_token”];
$expiry = $_GET[“expires_in”];
$idtoken = $_GET[“id_token”];
$refresh = $_GET[“refresh_token”];
Been reading all over the place and can’t find how to get the broadcaster_id of the person who is authed ? Any help would be appreciated
All the best,
Zoe
Call the validate token endpoint
Example: Token Checker | Twitch API Example
Or call the Get Users endpoint
Example: Twitch Implicit Auth Example
or since you seem to be using OIDC (id_token) call the user info endpoint
Which as per well known
https://id.twitch.tv/oauth2/.well-known/openid-configuration
is
https://id.twitch.tv/oauth2/userinfo
Heya @BarryCarlyon
Thanks for the reply.
Still getting my head around all this. SO many steps for what I thought would be simple 
I now have:
========== VALIDATION Data ==========
Array
(
[client_id] =>
[login] => zoeballz
[scopes] => Array
(
[0] => openid
[1] => user:manage:blocked_users
[2] => user:read:blocked_users
)
[user_id] => <redacted>
[expires_in] => 15630
)
Is the “user_id” the same thing as “broadcaster_id” referred to in (for example) https://dev.twitch.tv/docs/api/reference/#get-channel-information
Many thanks,
Zoe
For oAuth it’s pretty straight forward
That works for pretty much any oAuth service, you just drop in the URL’s for the service.
Sorry - Just finished editing my reply. I managed to send it before it was complete !
correct
Different terms are used on endpoints to help describe entities if a given endpoint involves more than one entity
also user ID’s are public data no need to hide that really. 
(Same with client_id’s
Habit 
Definitely think I’m missing something here…
========== VALIDATION Data ==========
Array
(
[client_id] => <redacted>
[login] => zoeballz
[scopes] => Array
(
[0] => openid
[1] => user:manage:blocked_users
[2] => user:read:blocked_users
)
[user_id] => <redacted>
[expires_in] => 14769
)
========== BLOCKED Data ==========
Warning: file_get_contents(https://api.twitch.tv/helix/users/blocks?broadcaster_id=60799143&first=100): Failed to open stream: HTTP request failed! HTTP/1.1 401 Unauthorized
in E:\xampp\htdocs\Twitch\auth.php on line 89
My code is…
echo "========== VALIDATION Data ==========\r\n";
$accesstoken = $authinfo["access_token"];
$expiry = $authinfo["expires_in"];
$idtoken = $authinfo["id_token"];
$refresh = $authinfo["refresh_token"];
$getinfo = "https://id.twitch.tv/oauth2/validate";
$context = stream_context_create(
array(
'http'=>array(
'method'=>"GET",
'header'=>"Authorization: OAuth $accesstoken"
)
)
);
$validinfo = file_get_contents($getinfo, false, $context);
$validinfo = json_decode($validinfo, true);
zprint($validinfo);
if (isset($validinfo["user_id"])) {
echo "========== BLOCKED Data ==========\r\n";
$userid = $validinfo["user_id"];
$username = $validinfo["login"];
$getinfo = "https://api.twitch.tv/helix/users/blocks" .
"?broadcaster_id=" . $userid .
"&first=100";
$context = stream_context_create(
array(
'http'=>array(
'method'=>"GET",
'header'=>"Authorization: OAuth $accesstoken"
)
)
);
$blocked = file_get_contents($getinfo, false, $context);
$blocked = json_decode($blocked, true);
zprint($blocked);
Many thanks
Zoe
You need Bearer $accesstoken not OAuth $accesstoken
Helix uses the Bearer prefix for the authorization header
Standardisation of terms is not so strong with Twitch then ?
All of helix uses Bearer.
And the validate endpoint does support Bearer. it jsut has a longer history of using oAuth and in general it ties into “works with standard oauth libraries” for the oauth related endpoints
So It’ “standardised across helix” at least.
Still getting the same error though 
$context = stream_context_create(
array(
'http'=>array(
'method'=>"GET",
'header'=>"Authorization: Bearer $accesstoken"
)
)
);
my mistake I forgot to point out that you are missing a client-id header as got focussed on the wrong auth header prefix
curl -X GET 'https://api.twitch.tv/helix/users/blocks?broadcaster_id=141981764' \
-H 'Authorization: Bearer 2gbdx6oar67tqtcmt49t3wpcgycthx' \
-H 'Client-Id: wbmytr93xzw8zbg0p1izqyzzc5mbiz' \
Additionally if you update your code to spit out the body of the response and not just the HTTP Code then the error message contained in the response should tell you the problem.
The HTTP Code is half the information
Ok - Got it now (after fighting with the context syntax for 15 mins !!
So I’ve got the first page of data and then this…
[pagination] => Array
(
[cursor] => a-great-long-string-here==
)
So…
Q1. I assume that is the string for the “after” field to get next page ?
Q2. Which is the best page that explains the rate limiting ? I found a few and they seem to contradict !!
Many thanks
Zoe
p.s. - This is for server to server
Yes
You have 800 points to spend, but you’ll find that in general, you get the point back you spent during a request before you make the next request.
In general you won’t get anywhere near the limit it’s pretty “big”.
It’s only a issue when you are doing a lot of stuff in parrellelelelelle and I mean A LOT here
I was thinking of having a separate registered app/client for each user that would be using this ? I was told that apps are not limited ? Not sure if that’s accurate ?
I am trying to fully automate CommanderRoot’s known bot blocklist to run on the server (using a database to keep record of who is already blocked) instead of having to have a browser open for 5hrs+ at a time…
Many thanks
Zoe
That would be a violation of the developer agreement.
Since you are creating duplicate client ID’s with the intent of bypassing the rate limit.
The point of oAuth is you can tie multiple users to the same Client-ID.
The list is full of false positives and brings zero benefits to a channel in my opinion.
All it does is clog up the blocks service with useless blocks.
And the bots on this list don’t do anything so blocking/banning them from your channel(s) does absolutely nothing to benefit the channel.
Just so you are aware, that “bot” list has a significant number of false positives in it, much like many of the other supposed “bot” lists floating around, and it’s generally recommended not to use such lists as you’ll be negatively impacting the channels you’re mistakenly trying to ‘protect’.
That would be a violation of the developer agreement.
AH - OOPS - Won’t do that then
The list is full of false positives and brings zero benefits to a channel in my opinion.
Well I’ve only had a few in the 2-3 years I’ve been using it, but I intend to add a whitelist to my system so they won’t get blocked in the first place, i.e. it will put regulars and subscribers into the whitelist.
And the bots on this list don’t do anything.
Have to say I’d disagree there. I was getting bot attacked almost EVERY stream. VERY much reduced now, and I haven’t had an attack this year so far, whereas other streamers who were having the problem at the same time I was, are still having them.