In an effort to standardize authentication and provide security improvements for the Twitch community, OAuth will soon be required for all Twitch API endpoints in the new Twitch API, also known as “Helix.” The goal of this announcement is to provide a timeline, full details of this new requirement, and answer a few anticipated questions. Please feel free to add further questions via the comments below and we appreciate your feedback during this process.
Update (2020/06/02): See “How will this affect Extensions developers?” below.
Update (2020/04/21): We have changed the first scheduled window from April 30 to May 1.
Update (2020/04/20): To help developers with awareness of the OAuth requirements and confirmation that their applications meet the requirements, we are implementing scheduled windows when the requirements will be enforced. Please see the section below entitled, “When and how is this change happening?” with the full schedule that will begin on April 30 and conclude on May 11.
Starting on May 1, 2020, Helix will require the following:
- Use of OAuth across all endpoints, either via an app access token or user access token.
- The client ID provided in the corresponding header must match the client ID used to generate the OAuth token.
Here is a sample request to show the headers mentioned above.
curl -H 'Authorization: Bearer cfabdegwdoklmawdzdo98xt2fo512y' \
-H 'Client-ID: uo6dggojyb8d6soh92zknwmi5ej1q2' \
-X GET 'https://api.twitch.tv/helix/users?id=44322889'
When and how is this change happening?
Starting on May 1, we will begin implementing scheduled requirement windows based on the points above and the permanent requirement will go into effect on May 11, 2020. If your application does not meet the requirements above, it will experience 401 error responses during each window and permanently on May 11. The expected scheduled requirement windows are as follows:
- May 1: 1-hour requirement window starting at 11:00am Pacific
- May 4: 4-hour requirement window starting at 11:00am Pacific
- May 6: 24-hour requirement window starting at 11:00am Pacific
- May 11: Permanent requirement starting at 11:00am Pacific
Why is Twitch making these changes?
As part of our goal to provide a unified high-caliber API experience to developers, we are providing a more consistent and controlled means of access to the Twitch API.
How will this affect Extensions developers?
Update (2020/06/02): Extensions submitted for review on or before January 31, 2020 can continue to use Helix endpoints as-is for the foreseeable future. We are still exploring ways to provide the same functionality with OAuth requirements, though we do not have a date or timeline at this time. The text below has been updated with strikeouts to reflect this.
Existing Extensions submitted for review on or before January 31, 2020 can continue to use any Helix endpoints as-is
until June 31, 2020. These Extensions will need to be updated and adhere to the new OAuth requirements above by this date. New Extensions submitted for review on or after February 1, 2020 will need to use OAuth to access any Helix endpoints.
We are actively exploring methods to allow Extensions to have some of the same functionality developers currently have through the front-end without an OAuth token. It is currently in ideation stages
and we will have more information before the date in June.
Where can I learn more about the use of OAuth on Twitch?
Please refer to the Authentication section of the Twitch Developer documentation.
What happens if I don’t pass an OAuth token in my API request?
You will receive a 401 error in response noting that you must pass a valid OAuth token.
What happens if the client ID in the header of my request does not match the client ID in my OAuth token?
You will receive a 401 error in response noting that your pair of client IDs do not match.
My application does not currently make use of an OAuth token to access the Twitch API. What should I do?
We recommend passing an app access token within your request or a user token for a request made on behalf of a Twitch user. In addition to the authentication documentation, you can learn more about these options in our blog post entitled Authentication: Understanding Which Protocol and Flow is Right For You.
We also recommend that you do not use an app access token in your frontend development. This should be handled by a back-end server for the security of your application.
How will this change the Twitch API rate limits?
The Twitch API rate limits are currently based on either IP address for unauthenticated requests or OAuth tokens for those requiring authentication. After these changes, access to the API will only be available via OAuth tokens and rate limits will no longer be based on IP address.
As mentioned, please provide any questions you may have below; we appreciate your feedback related to this authentication change.