'Basic' API Scope

The API documentation states that if you do not provide a scope only ‘basic’ information will be available, but it defaults to the ‘channel_read’ scope which includes the user’s email and stream key, which should be kept private, obviously.

Is there a scope, or some way that I can authenticate a Twitch account through the API and get an OAuth token that gives access to very basic information (publicly available information), so I don’t have to worry if it falls into the wrong hands?

I’m developing a client-side application that sends the OAuth token (retrieved via the ‘Implicit Grant Flow’) to a server to verify the user.

1 Like

You can request no scope at all &scope= and use that returned token along with the root call (https://api.twitch.tv/kraken) to determine which user that token belongs to.

However, keep in mind that relying on only the token as the validating credential with implicit grant flow is inherently insecure since tokens generated for other applications can be injected into yours to authenticate the user.

The Authorization Code Flow and relying on the code parameter as your validating credential provides better security since an OAuth token can only be generated by knowing your applications client secret.

1 Like