Error 429 - Limitation ? (Helix API)

DaRealTinkeR · April 27, 2020, 3:00pm

Hello
First of all: I’m not a dev, just trying to apply stuff for my website, learning here and there what I can !
I’m using Helix API using cURL with PHP, along with my Client ID (am I saying this right?) to get a list of some Twitch channel I want to be displayed on my website, depending on if they are online or not.
Problem is that if I refresh too often, or change pages too quickly, I’ve for Failed error 429 message. I think I’m understanding that it’s due to a limitation about the number of request I’m doing (https://dev.twitch.tv/docs/api/guide ?) per IP? Is that correct?
Is there a way to work around that? Cause I’ve got more and more streamers to add there and I don’t want people to have this error message appearing everytime they switch page ? (cause ye, this list appears on each page)

Thanks a lot !

BarryCarlyon · April 27, 2020, 3:03pm

Which endpoints are you trying to call?

429 is the rate limit warning, and the rate limit is passed in the headers

You can use a App Access Token, which’ll grant a limit of 800 request per minute (client-id only is 30)

Additionally both the users and streams endpoints allow you to look up 100 users at once.

Then your front end should call your server and your server should load from a cache and your cache be updated via a Cron job.

So 10k people can load your website, but your website loads from the API once per minute total.

Every page load it loads from your database, and you have cronjob that updates every minute or so instead.

See also this thread

About upcoming changes, requiring an oAuth bearer to be present on all Helix requests. (Which’ll also grant the 800 rate limit)

DaRealTinkeR · April 27, 2020, 3:26pm

First (again) thanks a lot for your quick answer, really.
What is an “endpoint” ? (sorry English is also not my native language, if this wasn’t clear enough! hehe)

So I should use App Access Token rather than Client ID, right ?

Also, you lost me with cron job but at least, I know that it’s possible to find a solution so I will also try to find something on my side.

BarryCarlyon · April 27, 2020, 3:28pm

The streams “endpoint” is https://api.twitch.tv/helix/stream an endpoint is an API URL

No you should use both. As per what I linked you need to send the App Access Token, and the Client ID that that app access token was generated with.

Cron job is a job that automatically runs on a server periodically to do whatever.

So you’d create as scheduled job to update streams status into your database and the database would serve the front end.

DaRealTinkeR · April 27, 2020, 3:30pm

Ok, I think I should have now enough information. I’ll investigate and do my part
Thank you again Barry.

DaRealTinkeR · April 27, 2020, 5:34pm

Ok I thought I was smarter than that but…
Here’s the code I use to get the info I need, and that works for now… with this very low rate limit.
I thought I just needed to add

    Client_secret: mygeneratedsecret,
Grant_type: authorization_code'

to (below client-ID) but that just gives an error 400. What am I missing ? Thanks

$ch = curl_init('https://api.twitch.tv/helix/streams?user_login='.$streamer[$i]);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'Client-ID: myclientID'
));

// Retrieve data
$data = curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);

if ($info['http_code'] == 200) {
	// Convert JSON data to object
	$r = json_decode($data);
	// Object contains an array of object call "data"
	$array_data_r = $r->data;

} else {
	echo 'Failed with ' . $info['http_code'];
}

Dist · April 27, 2020, 5:45pm

The OAuth process is completely separate from requests to the API endpoint.

If you want to use the Auth Code flow, you would follow the instructions here: https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#oauth-authorization-code-flow which will send the user to Twitch, if the accept connecting to your app they’ll be redirected back to your website with a code as a querystring param, which your server can then exchange for an Access Token.

Once you’ve got that Access Token you can make requests by using the Authorization: Bearer <Token> header.

Those requests MUST be done server-side as you must not expose your client secret to the client. If you wish to do API requests client side you should use the Implicit Auth Flow https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#oauth-implicit-code-flow where the user is redirected back to your website with a User Access Token in the url hash, which the frontend can use as the Authorization header in the same way I previously mentioned.

If you want to do it entirely server-side, you can use an App Access Token https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#oauth-client-credentials-flow which doesn’t require user interaction, or redirecting them at all, but the requests can only be done on your server as you can’t expose that token to the user.

DaRealTinkeR · April 28, 2020, 6:44am

The OAuth process is the part where I do the cURL?
Yes I read the instructions but to be honest it’s really not clear at all to me…
I understand for the server-side, but first I would need to have a proper code that actually does what I need, and I can’t seem to find how to turn theory intro code…

BarryCarlyon · April 28, 2020, 10:20am

$ch = curl_init('https://id.twitch.tv/oauth2/token');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array(
'client_id' => 'myclientID',
'client_secret' => 'yoursecrect',
'grant_type' => 'client_credentials'
));

// Retrieve data
$data = curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);

$data whence JSON decode (and the http code in info checked), should return a token to use. Store and reuse the token until it expires.

This should work off the top of my head. Doens’t include code to obtain an already generated token and check it’s validity

DaRealTinkeR · April 28, 2020, 6:57pm

Ok so I stored the token after your code

 if ($info['http_code'] == 200) {
	// Convert JSON data to object
	$r = json_decode($data);
	// Object contains an array of object call "data"
	$array_data_r = $r->data;
} else {
	echo 'Failed with ' . $info['http_code'];
}
$token= $r->access_token;

Then I basically took the code I already had by adjusting stuff:

	$ch = curl_init('https://api.twitch.tv/helix/streams?user_login='.$streamer[$i]);

	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Client-ID: myclientID',
'Authorization: Bearer '. $token
	));

So only thing remaining is to have this done on the server side and I’m good to go, right ? (as it is, it works, but I understand for security reason I can’t keep it on my webpage directly)

BarryCarlyon · April 28, 2020, 7:22pm

Sounds about right yeah.

And yeah you shouldn’t leak your generated oAuth access tokens, user tokens are ok since they are the users own tokens. But an oAuth token is basically like a password and should be treated as such.

Doing it server side also means you can minimise the API requests you make as you can cache the data in your server

DaRealTinkeR · April 30, 2020, 6:18pm

End of the story:
-I’ve created a .php file containing a script that get the token, and fill in my DB
-A cron in the server gets this done every minute
-on my webpage, I only get some small code that reads the database, and displays it

My page loads soo much faster now, and that works great.
Thank you a lot for your help, I wish I could do something in return ! ahah

system · May 30, 2020, 6:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.