EventSub returning 403 with token using proper scope

Hello,

I’m trying to register a channel.cheer EventSub subscription. This is the request I’m making to retrieve the OAuth token:

curl -X POST \
    -F 'client_id=[redacted]' \
    -F 'client_secret=[redacted]' \
    -F 'grant_type=client_credentials' \
    -F 'scope=user:read:email bits:read channel:read:hype_train channel:manage:broadcast channel:manage:redemptions' \
    https://id.twitch.tv/oauth2/token

Then I am using the token in that request’s response here:

curl -X POST 'https://api.twitch.tv/helix/eventsub/subscriptions' \
    -H 'Authorization: Bearer [redacted]' \
    -H 'Client-Id: [redacted]' \
    -H 'Content-Type: application/json' \
    -d '{"type":"channel.cheer","version":"1","condition":{"broadcaster_user_id":"468236963"},"transport":{"method":"webhook","callback":"https://[redacted]/","secret":"[redacted]"}}'

Which is responding with:

{"error":"Forbidden","status":403,"message":"subscription missing proper authorization"}

The docs say that only the bits:read scope is required, so I’m confused.

I also tried using only bits.read for the scope and nothing else, even though I needed those other scopes to register other subscriptions, and I still was unable to register a channel.cheer event sub.

Eventsub uses an App Access Token.
An App access token cannot have scopes, not does it represent a user.
You need to do a user oAuth Loop first with the needed scopes.
Discard/ignore that token (or use it for data catch up)
Then create topics using the app access token (again with no scopes)

Further reading How does Twitch’s new EventSub work? – Barry Carlyon

So in summary your clientID doesn’t have access to read cheer information for 468236963 as you didn’t do a user oAuth loop first.

EventSub works by creating a link between clientID and user. (via user oAuth)
Then you can use the app access token to create subscriptions to topics

1 Like