Did the Oauth requirements not go live?

I was under the impression that they’ve been required since May 11th, but it doesn’t actually appear to be required for endpoints that don’t have explicit scope requirements at least.

If I run this:
curl -X GET ‘https://api.twitch.tv/helix/games?id=493057

I get exactly what I’d expect:
{“error”:“Unauthorized”,“status”:401,“message”:“OAuth token is missing”}

But if I just hand it a client id
curl -H ‘Client-ID: [redacted]’ -X GET ‘https://api.twitch.tv/helix/games?id=493057

The data comes right back.
{“data”:[{“id”:“493057”,“name”:“PLAYERUNKNOWN’S BATTLEGROUNDS”,“box_art_url”:“https://static-cdn.jtvnw.net/ttv-boxart/PLAYERUNKNOWN’S%20BATTLEGROUNDS-{width}x{height}.jpg”}]}

Edit: does this have something to do with the age of client IDs? I tried a newer client ID, and it errors out exactly like it should.

Client IDs are public and don’t need to be redacted.

Did you call this using an extension ClientID? Extensions have a little more leeway to update to the new behavious

This is one listed under Applications from June of 2018. If I swap to a Client ID from April of 2020, it returns the 401 with OAuth token is missing.

It also appears to not validate that the token and client ID match for these older IDs either. I can even pass through a blatantly fake token, such as ‘abc123’ with the older client IDs and the data comes back just fine. Likewise, I can pass through a valid token from the old client ID and a blatantly fake Client-ID such as ‘abc123’ and it works.

Edit: I just wanted to double check. Generated a new app token via a newer client ID. The token from the new client ID mixed with ‘abc123’ as the client ID gives me 401 Client ID and OAuth token do not match.

I’m not sure if this is a bug, or just something where I should be grateful for these old applications.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.