400 "invalid client" response in Oauth Credentials Flow

I’m trying to set up a chat reader app, but I can’t get past the first step of authentication. I haven’t found this error discussed in the forums. I’m following the “Client Credentials Flow” for OAuth, which specifies the following request format:

POST https://id.twitch.tv/oauth2/token
    ?client_id=<your client ID>
    &client_secret=<your client secret>
    &grant_type=client_credentials
    &scope=<space-separated list of scopes>

Client ID: I’m using the client id provided to me from the Twitch Developer dashboard
Client Secret: I’m using the client secret provided to me from the Twitch Developer dashboard
Scope: Trying to get access to “chat:read.”

When I get a response it looks like this:

response headers: { date: 'Sat, 01 Aug 2020 19:50:47 GMT',
  'content-type': 'application/json',
  'content-length': '42',
  connection: 'close',
  server: 'nginx/1.14.1',
  'access-control-allow-origin': '*',
  'x-ctxlog-logid': '1-5f25c797-011a0f4c97d17354625d3e28' }

Response text: {"status":400,"message":"invalid client"}

I’ve seen other error messages discussed on the forum: “invalid client secret,” “missing client id”, etc. But I haven’t seen a discussion for just, “invalid client.” Is this a problem with how I’ve set things up, or is my new application missing some sort of permissions?

For a start, thats the wrong kind of Token, you have to use a user token to login to chat.

Invalid Client usually means the clientID is not valid. You may have copied and pasted it wrong.

Either that, or it’s becuase you are trying to get chat:read on something that can’t use chat:read. To login to chat you need a user token. Not a server to server token.

Oh well that would explain it!

I tried looking for that kind of information about what authorization was required for each type of scope, but I couldn’t find it. Do you know where it is located?

The rule of thumb is that any endpoint that requires a scope, or is reading/writing private data will need a user token. App Access Tokens only work for public data (except for extensions reading subscriber data)

Since you need permission from the content owner to access that content. Subscribers for example, the subscribers endpoint also notes that the broadcaster_id in the query string needs to match the one in the token.

You wanna update a broadcasters channel data? Well that needs a scope and permission from content owner to update their channel etc)

So an app access token doesn’t work for logging into chat as it doesn’t represent a user, and to login to chat you need to be a user.

The users endpont accepts any kind of token, but if you specify a user token with the email scope you get the email returned too, you can also call the users endpoint with no ID/username in the query string and get the user for that token.

It’s somewhat straight forward, theres just some endpoints with alternative behaviour.