![]() For details about getting a user access token using this flow, see Getting a user access token using the authorization code grant flow.ĪPIs that don’t require the user’s permission to access resources use app access tokens. Use this flow if your app uses a server, can securely store a client secret, and can make server-to-server requests to the Twitch API. For details about getting a user access token using this flow, see Getting a user access token using the implicit grant flow. For example, use this flow if your app is a client-side JavaScript app or mobile app. Use this flow if your app does not use a server. If the user clicks Authorize, Twitch gives your app an access token that lets it perform those actions.īased on the type of app you’re building, you’ll use one of the following OAuth flows to get a user access token. The following example shows the dialog that Twitch displays to the user to get their permission for your app to create a Poll, stop a Poll, or get a list of their Polls. For example, you don’t need permission to get a user’s User resource but you do need their permission to include their email address with the resource. Twitch uses scopes to identify the resources, or the fields within a resource, that your app needs permission to access. User access tokensĪPIs that require the user’s permission to access resources use user access tokens. IMPORTANT Treat access tokens, refresh tokens, and client secrets like a password and safeguard them. Some APIs require a user access token, others require a user access token or an app access token, and a few like the EventSub APIs require app access tokens. The reference content for each API identifies the type of access token you must use to access its resource. The Twitch APIs use two types of access tokens: user access tokens and app access tokens. If you’re not already familiar with the specification, reading it may help you better understand how to get access tokens to use with the Twitch API. ![]() In this case, it’s possible that the refresh request may fail for some of the threads after the refresh token reaches the 50 access token limit.įor multi-threaded apps, Twitch recommends that your app refresh the access token in one thread, which then distributes the new access token to the other threads.Twitch APIs use OAuth 2.0 access tokens to access resources. This limit might become an issue if multiple threads sharing the same authorization try to simultaneously refresh the access token. If a refresh token has 50 valid access tokens associated with it and you try to create the 51st, the request fails. Handling token refreshes in a multi-threaded appĪt any given point in time, the maximum number of valid access tokens that a refresh token can be associated with is 50. If the refresh fails, the application should re-prompt the end user for consent using the Authorization Code Grant flow or OIDC Authorization Code Grant flow. Refresh tokens, like access tokens, can become invalid if the user changes their password or disconnects your app.Ī refresh request can fail with HTTP status code 401 Unauthorized if the refresh token is no longer valid. You must safely store both the access token and the refresh token. The object includes an access token and a refresh token. The following example shows the JSON object that the endpoint returns. NOTE You cannot refresh app access tokens. Your app uses the refresh token to get a new access token after receiving a 401 Unauthorized response. Generally, refresh tokens are used to extend the lifetime of a given authorization. When you get a user access token using the Authorization Code Grant flow, you also get a refresh token. The only access tokens that apps can refresh without requesting user consent are user access tokens created using the OAuth Authorization Code Grant Flow. Instead, Twitch recommends that apps reactively respond to HTTP status code 401 Unauthorized. If you call a Twitch API with an invalid token, the request returns 401 Unauthorized.Īlthough you could use the expires_in value to proactively get a new token before the token expires, you’re discouraged from using this approach because tokens can become invalid for a number of reasons (see How do tokens become invalid?). When a token expires, it becomes invalid. When you get a token, the expires_in field indicates how long, in seconds, the token is valid for. The lifetime of an access token depends on how you acquired the token.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |