Whats stopping me stealing client id's?

Let’s say you want to his this endpoint.

It says it requires a client id (which I have).

What I don’t understand is when you use this with a Javascript based request like AJAX then what stops me using someone else’s client id I could steal from their AJAX script?

What stops someone else taking my client id out my script and using it for their own purposes?


Rate limiting is done by ClientID/IP Address pair. So thats not a concern.

Just means someone can and may take YOUR ClientID and use it to request information thats “public” anyway.

Can’t use JUST the ClientID to perform or create authenticated requests

1 Like

I do hope you’re right, because the docs don’t mention IPs at all:

Each client ID is granted a total of 30 queries per minute (if a Bearer token is not provided) or 120 queries per minute (if a Bearer token is provided), across all new Twitch API queries. If this limit is exceeded, an error is returned: HTTP 429 (Too Many Requests).

It would be nice if that explanation could be clarified.

What stops people from effectively using your Client ID is the redirect URI. If you have concerns about rate limits, send a Bearer token with your requests. For requests on behalf of users, their user access token. For other requests, an app access token (client_credentials).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.