Best oauth method for local application


I am struggling to understand what would be the best oauth method to use for my project. The end product would be an local application (python compiled exe) that I would distribute to other users. This application would need to read channel points, when someone follows, and when someone subs. I believe all this information can be received by using PubSub?

For OAuth implicit, it’s my understanding that the token can be viewed using Javascript after the user requests the token. I think then, for my application, I would need to require the user to copy and paste the token into the app?

Or would I use the the oauth user authentication, which requires both the client id and client secret? I could then get the token programmatically. However, this method would require me to distribute a python compiled exe that contained both my client id and client secret, which does not seem very secure?

Any help or guidance would be much appreciate!

Implicit auth:

Only requires ClientID is the most appropriate to use for local apps

Or your App phones home/logs into a server and your server holds the login/twitch account matches/key pairs

Follows are not over PubSub. that would require long polling the follows API

Only if your App can’t raise a web server to recieve the loop back (with a bit of JS to grab the acess token from the #hash and relay to your app) with the access token.

Thanks Barry!

I am able to write a webserver in the app, which I did last night, but could not figure out how to receive the information with my app since after the # is not relayed in the response. I have your example on how to grab the token (auth.html) with javascript, but I am bit stuck on how to relay that token to my app. I am using python, and the python HTTPServer. Not sure if this is the right direction.

Your webserver serves a page that grabs the token then relays it from the frontend to the backend. Something like this is a rough example.

        if (document.location.hash && document.location.hash != '') {
            var parsedHash = new URLSearchParams(window.location.hash.substr(1));
            if (parsedHash.get('access_token')) {
                var access_token = parsedHash.get('access_token');
                    'http://localhost/?my_token=' + access_token
                .then(resp => {})
                .catch(err => {

Sub http://localhost/ for whatever http://localhost:1234/ whatever port number you spawn up on

I personally utilize the difference between GET and POST to “grab” the token from the # part - since the redirect always causes a GET request and then POST to the same endpoint by using the snippet from here:

Thanks so much! I will give this a try.