Do user access tokens expire?

Am I correct in assuming, that user access tokens do not expire?

I’m a bit confused about the ‘Validating Requests’ part in the documentation. Is it talking about user access tokens, app access tokens or both?

The way I interpret it is the following (please tell me if I’m wrong):

  • User access tokens do not expire. You should validate them on a per-session basis to make sure that when a user removes authorization for your app, you stop using that token.
  • App access tokens expire after a certain time. You have to make sure to refresh them, which basically means getting a new token.

I guess what I really want to know is: If I get a user access token once and validate it regularly, can I be sure that the access token will always be the same (until the user revokes authorization)? So until then I’ll never have to request a new user access token?

The expirations aren’t document so they can change at any time, but implicit flow generally lasts about 60 days. The authentication flow generally lasts around 4 hours. App access token lasts around 60 days as well.

1 Like

Both the validate endpoint and original token fetching JSON blobs, will contain an expires_in key which tells you in how many seconds that token will die. Refresh tokens don’t expire, but may change when you refresh

1 Like

Thanks, it makes sense now. I was led to think that user access tokens don’t expire, because when getting a token via implicit code flow, there is no JSON giving you that expiration value. You just get the token via the redirect URL. That was throwing me off I guess. But validating that token then gives you a JSON response with that expires_in key.

Yeah implicit auth will jsut return the token, scopes and state in the # iirc.

So to get expires, you’d hit the validate endpoint, the usual assumption with implict is if the token is dead, you just bounce the user to the oAuth link and they auto come back, so most users wouldn’t notice the new token being made. Or the page/session/task doesn’t last long enough to even warrent storing the token in localstorage anyway. (Generally speaking)

1 Like

This is a completely different topic right now, but for me the biggest hurdle with this authentication stuff is the hoops I have to jump through to make this work from a mobile application. It’s a Unity application targeting the Oculus Quest (running Android).

You can make http calls to use the twitch API from a Unity application, no problem. But when authentication requires you to redirect the user to a browser things get difficult.

I can redirect to the Oculus Quests native Browser application. Then the user can authorize the application, get’s redirected to a URL that I can choose, but I have no way to get the access token back from the URL back to my native app. I tried launching the app using Android deep links which works on phones, but Oculus unfortunately prevents that in their custom browser.

In theory If the user has already authenticated the app and I call the authorization API through a http request from within Unity, I could manually retrieve the redirect URL in the http response and get the token that way. However, that doesn’t seem to work for Meta redirects or JavaScript based redirects, which I assume twitch is using here.

One or two people have even build a browser in Unity based on chromium, so you could pull that in, but I haven’t seen any projects that work on Android. Not that building and shipping a browser inside a Unity app for a single authentication step is a sane thing to do anyway.

That means I’m left with either some scuffed approach where the user has to copy the token to the app manually (which is not very good considering tokens expire), or I have to bite the bullet and build a server which I don’t have a lot of experience with.

I wish there was a way to do Oauth authentication without the requirement of a browser, where the authentication response gets returned in the same HTTP call. Is there a dedicated feedback / feature request site for twitch developers other than this forum?

Sorry for the rant, I just needed to vent a little. I’m aware that this is probably not something a lot of people are doing. It’s completely valid for twitch to focus on the main use case which is web.

Well since it’s a an app, installed to peoples computers, are are stuck using implicit auth, so as you don’t leak/release your Client Secret.

But it depends really on which endpoints of Twitch you need to call for your Application, it’s probably way easier to make your app connect to your server, logs into your server, (steam/oculus device ID auth whatever), and fetches the existing YOURSYSTEM/Twitch Account link and uses the server to proxy the requests.

Then you can authenticate between your app and your server however you want.

Thats how, say, Doom Eternal knows my TwitchID, Doom logs into my Bethesda account, via my Steam account, and can talk to my accounts linked to my Bethesda account, where it logged in via my Steam account to start with.