This post applies to all developers who are using the OAuth2 login flow as authentication for their service’s protected resources, in addition to any Twitch resources accessible via scopes.
As a courtesy, we wanted to post a reminder that we require applications using Twitch OAuth2 for login purposes to validate their access tokens on a recurring basis. That is to say, if your application is using Twitch as a form of authentication (i.e. verifying that a user is who they say they are on your platform), you should conduct hourly validations of tokens. Additionally, you should validate access tokens prior to processing requests that access or perform mutations on sensitive information of users. We ask that you implement this validation as soon as possible if you have not done so already.
This is important because of how OAuth access tokens work and the end user’s expectation of OAuth session control. For example, a user who opts to disconnect your integration from their Twitch account can do so from their account settings on Twitch. When a user disconnects from an integration, all OAuth access tokens between that user and that integration are invalidated. In this scenario, the expectation is that OAuth access tokens are tied to sessions on third-party applications; as such, any existing sessions between the disconnected user and those applications should also be invalidated.
Twitch does periodically conduct audits for the security of our mutual users. If we discover an application that is not re-validating access tokens, we will reach out and work with the developers to resolve the issue. If the issue is not resolved, we may take punitive action, such as revoking the developer’s API key or throttling the application’s performance. We certainly prefer the former; your success is our success!