{'status': 401, 'message': 'invalid csrf token'} When trying to authorize through Python Script

Trying implicit grant flow this time, and im getting this error: {‘status’: 401, ‘message’: ‘invalid csrf token’}
This only occurs when I use requests.post.
Requests.get works however I cant use the .json() to get the access token and I can’t find where else to get the access token using get …
Am I using post wrong ?


(ignore the wasted extra line near the print and code lol i just wanted to see if that would work instead for some reason)

You send them to that link. It isn’t a API call. Then they redirect back to you with a code. Then you post with that code to get a token.

Send as in redirect (for clarity)

But the whole construct of the URL is wrong here

So you need to go back to the docs and check you are doing things correctly. Or we need to see all your code to try to understand what you are trying to do here.

Also please make sure that when you do send the user to that link, you ONLY use the params that the documentation, https://dev.twitch.tv/docs/authentication/getting-tokens-oauth, specifies.

You are using response_type: token but also including your apps client_secret which should not be used at all with the Implicit auth flow that you’re attempting to use and should NOT be exposed to the user.

alright, thanks.

I’m just trying to make an authentication for the user so that they can use the script for clipping on their own channel.

I remember talking to you before about OAuth, and I thought I had to use a website just to authenticate for the Python Script i’m making untill you mentioned Implicit Auth. That’s what I’m attempting here.

I don’t REALLY know how this authentication thing is supposed to work in terms of the order of which things are supposed to happen. ( for example; Do I need a button to send the user to verify, and then another button which gets the access_token after they have verified? Or should it all work within one button press ? )

I cant really find any tutorials on authenticating and grabbing access tokens via Python so I’m kinda in the dark.

+++: another thing is with implicit auth, how would the redirect url work? Because I get an error if I attempt to json() that since it has the access_token once you verify yourself.

You still need a web server, even with the Implicit flow.

Implicit Auth:
Step 1: Send user to the Auth URL. They have to actually go to that URL, you do NOT make a GET or POST request yourself in your python code.

Step 2: The user on the Twitch site will be prompted to approve or deny the connection to your app and the permissions you’re asking for in the scopes.

Step 3: The user will be redirected back to your redirect URI with a token in the url hash. Because this is the Implicit auth flow the URL hash is only accessible within the clients browser and is not passed to your web server, so you will need the page the user is redirected to accessing the token in the hash and passing it to your server, or asking the user to copy/paste the token from the url bar.

Keep in mind the Implicit flow tokens can NOT be refreshed so the user will need to do this roughly every 60 days.

The difference with the Auth Code flow is that in Step 3 the user will be redirected with a code in the querystring params that your web server can natively access and so the server can exchange that code for an Access Token and Refresh token. The access token only lasts about 4 hours but you can use the refresh token to get new tokens programmatically without user needing to auth again.

If this is a one time thing, you could do it without the webserver which will mean when the user redirects to your redirect uri it’ll 404, at which point you would need to ask them to copy the token (if using the implicit flow) or the code (if using the auth code flow) from the URL bar and paste that in your app. It’s not particularly user friendly, and I certainly don’t recommended it for production use if you intend for multiple people to use your app.

like this example


a webpage or HTTP intercerptor is expected to capture the token from the URL.

Or using a webpage like this you get the user to copy/paste their token from this external tool and paste into your tool.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.