Refreshing Access Tokens | Twitch Developers documents the
client_secret attribute as
required which is not correct anymore. It is only required for confidential client types, not for public ones. Public clients using the recently introduced Device Code Grant Flow do not have a
client_secret and do not need to provide it.
My tests confirm this, as I was able to exchange a refresh token of a public client for a new access token without including a
client_secret attribute in the body of the request.
I was not able to provide this feedback on the documentation page itself, since Twitch forces users to enable cross-site tracking in their browser for that … but that is a different topic. I just mention it to explain why this report landed here instead.