User Access Token Vs App Access Tokens. I'm confused

I am hoping someone can help me understand the differences in these. I am going to try to be verbose just so my process is clear.

I currently have a bot that is using OAuth2 authentication. My users will go to the bots website and login using twitch. The initial call looks like this


After that call I take the code I get and make another call with my client ID, secret, and grant type of authorization code. I use the return from that to get the access_token and refresh_token. After that I use the access_token to check their information and move along. I store the access_token but don’t ever use it again.

All of that would be the User Access Token correct?

Inside of my bot I am doing things like checking to see who is online, their followers, their subs, and follow dates. Within those calls to the V5 API I am just using my Client ID. I want to start adding some of the new functionality like creating clips. Is this where I would use app access tokens (obtained by the OAuth Client Credentials Flow (App Access Tokens))? Would I then use that access token for calls, and not the user access tokens I got earlier?

I tried searching around a little bit but didn’t see anything that really cleared it up for me.

1 Like

The difference between the User Access Token and the App Access Token is stated in the “Types of Tokens” section of the OAuth documentations

It states that ... app access tokens are not associated with a user, they cannot be used with endpoints that require user authentication Thus meaning that an application access token cannot be used to view private information such as Subscribers.

App and User access tokens both function the same way. The Twitch API requires you (the developer) to provide an authorization to access it.

The User Access Token is the user granting you permission to view their information.

If your application wanted to view public information such as games or streams you need to have permission from Twitch via an Application Access Token

If your application wanted to view private information such as subscribers or the stream key you need to go through the OAuth Client Credentials Flow (As you were doing to receive the stored access_token), and use that access_token as authentication.

P.S. Store the refresh_token too, you need it to get a new access_token when it expires


Just another thing to note, if you’re retrieving a User Access Token you might not need an App Access Token at all. When fetching a users stream (even though it’s public information) you can still use the Users Access Token.

User Access Token can view Public and Private Information.

App Access Token can only view Public Information


I had looked through the doc, I just couldn’t wrap my head around it. When you put it that way it makes more sense.

Do the different endpoints say which token they need? I.E. does clip create just need app, where subs would need user?

I knew I would need the refresh token at some point, but up until now I hadn’t needed it (I just started working with subs, everything else I did didn’t need tokens).

I appended an edit to my original response.

If you have a User Access Token you can use that for every endpoint. (As long as the key remains valid; a user can choose to deactivate a granted access token in (Make sure to catch invalid responses if a user invalidates their token) )

As for endpoints where you can’t use an Application Access Token, endpoints will list a Required scope: such as channel_subscriptions in APIv5 subscribers These require the User Access Token with the listed scope.

Create clips needs a user access token since you are creating a clip on behalf of a user. Same with subscribers.

App access tokens have no use in the Kraken API. In Helix you can use them for increased rate limits and they are also needed for Drops (which is limited to game developers).

Final question. I think I read this in another topic, but the OAuth2 process I am using now (with Kraken) isn’t changing with the new API, so if I have working OAuth2 now, I will be fine. (I thought I read the auth system was different from the rest of the API)

Thank you very much for the help TheElm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.