PHP - authentication troubles

This is my first time working with the twitch api and basically I’m just trying to authenticate a user and get their username logging in. I can get the GET request fine to get the code, but then the documentation loses me with getting the ‘state’ parameter.

If I test it using the documentation state (and even without it) I get something that looks like this as a result from my curl info:

    [url] =>
    [content_type] => 
    [http_code] => 0
    [header_size] => 0
    [request_size] => 0
    [filetime] => -1
    [ssl_verify_result] => 1
    [redirect_count] => 0
    [total_time] => 0.031
    [namelookup_time] => 0
    [connect_time] => 0.015
    [pretransfer_time] => 0
    [size_upload] => 0
    [size_download] => 0
    [speed_download] => 0
    [speed_upload] => 0
    [download_content_length] => -1
    [upload_content_length] => -1
    [starttransfer_time] => 0
    [redirect_time] => 0
    [redirect_url] => 
    [primary_ip] => X
    [certinfo] => Array

    [primary_port] => 443
    [local_ip] => X
    [local_port] => 59498

What am I doing wrong?

This is what I have so far:

$ch = curl_init("");
  curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt($ch, CURLOPT_POST, 1);
  $fields = array(
    'client_id' => 'p4axx80zlzi6t3kwc79ri3uu3kqpqi',
    'client_secret' => 'ihopethiswasntyoursecret',
    'grant_type' => 'authorization_code',
    'redirect_uri' => '', //Not my actual url
    'code' => $_GET[code]
  curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
  $data = curl_exec($ch);
  print_r($data); // confirm that this is not what we want
  $info = curl_getinfo($ch); // let's get some details about that last request
// print it out and see what we get
  echo '<pre>';
  echo '</pre>';

And I’m just really thrown off, I guess, I’ve googled around for a day without finding any solution or answer.

They’re not POSTFIELDS, they’re GET parameters, even though it is a POST request. The body is just empty.

$fields = array(
  'client_id' => 'p4axx80zlzi6t3kwc79ri3uu3kqpqi',
  'client_secret' => 'ihopethiswasntyoursecret',
  'grant_type' => 'authorization_code',
  'redirect_uri' => '', //Not my actual url
  'code' => $_GET['code']
$url = "" . http_build_query($fields);

You do not need to use the state parameter, but it’s recommended. It’s simply echoed back to you so you can save data across an authentication that way and verify it was your website that initiated the auth request.


if code is defined, that’s going to not do what you want, use a string explicitly. (I believe PHP logs a notice for this)

So, I’m still sorta having issues. Every time I try to get it, I get a JSON object spit back to me that basically says
{“error”:“Not Found”,“status”:404,“message”:null}

I get that from both the browser and command line w/ CURL

I am not too familiar with CURL w/ php so I just want to make sure I am getting this done right

$fields = array(
‘client_id’ => ‘p4axx80zlzi6t3kwc79ri3uu3kqpqi’,
‘client_secret’ => ‘ihopethiswasntyoursecret’,
‘grant_type’ => ‘authorization_code’,
‘redirect_uri’ => ‘xyz’, //Not my actual url
‘code’ => $_GET[‘code’]
$url = "" . http_build_query($fields);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, 1);
$data = curl_exec($ch);

Or am I needing to set this up another way?

I took a look at my working code now that I have access to it and it seems I was incorrect earlier about the data needing to be GET params like the docs say (I’m not even sure GET params work, maybe @DallasNChains can confirm).

Working code I have tucked away:

function api_call(string $url, array $data = []) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

    curl_setopt($ch, CURLOPT_POST, 1);
    $postdata = http_build_query($data);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);

    $output = curl_exec($ch);
    $e = curl_error($ch);
    if ($e) {
        die('FATAL ERROR');
    return $output;

if (array_key_exists('code', $_GET)) {
    $oauth_info = api_call('', [
        'client_id' => $CLID,
        'client_secret' => $SECRET,
        'grant_type' => 'authorization_code',
        'redirect_uri' => urldecode($REDIRURI), // my $REDIRURI is stored urlencoded due to being used that way more times
        'code' => $_GET['code']
    $oauth = json_decode($oauth_info, true);

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.