Security Concerns with Twitch PubSub API Authorization Process

Twitch knows that an implict token was used and blocks access by implicit tokens leaving code flow tokens intact.

And/or they block the bad actors IP address from access leaving your main connection fine.

Finally PubSub is deprecated: Legacy PubSub deprecation and shutdown timeline

In my opinion: The issue doesn’t exist under EventSub due to how authentication is segregated

Edit: an what you describe can’t happen as theres no rule that would block the developer if a bad actor misuses the clientID

  • Clients can listen on up to 50 topics per connection. Trying to listen on more topics will result in an error message.
  • We recommend that a single client IP address establishes no more than 10 simultaneous connections.

Theres nothing where a bad actor can knock the developer offline