EventSub: "subscription missing proper authorization"

Request:
curl -X POST https://api.twitch.tv/helix/eventsub/subscriptions -H 'Authorization: Bearer <App Access token>' -H 'Client-ID: <My Client-ID from dashboard>' -H 'Content-Type: application/json' -d '{"type": "channel.channel_points_custom_reward_redemption.add", "version":"1", "condition":{"broadcaster_user_id":"<Channel User ID>"}, "transport":{"method":"webhook", "callback":"https://mydomain.com/channelpoints/callback.php?test=test", "secret": "<My Secret Key>"}}'

Response:
{"error":"Forbidden","status":403,"message":"subscription missing proper authorization"}

I’m getting the App access token with:
curl --data "client_id=<My Client ID>&client_secret=<My Client Secret>&grant_type=client_credentials&scope=channel:read:redemptions+channel:moderate" https://id.twitch.tv/oauth2/token

The channel you are trying to subscribe to has not granted your ClientID access to the relevant scopes for channel points

Basically a client_credentials can’t have scopes (or a userID)

You need to generate a user access token with the scopes on. So you can call the API with that token.

Once that has been done, then you can use your app access token to create the subscription.

So

  1. Get permission from the broadcaster to read/write channel points, user access token (with scopes)
  2. Then EventSub to those topics with your App Access Token (no scopes)

So you need two different tokens.

1 Like

Which token should I use to subscribe? user token or app token?
curl -X POST https://api.twitch.tv/helix/eventsub/subscriptions -H 'Authorization: Bearer <App Access token>' -H 'Client-ID: <My Client-ID from dashboard>' -H 'Content-Type: application/json' -d '{"type": "channel.channel_points_custom_reward_redemption.add", "version":"1", "condition":{"broadcaster_user_id":"<Channel User ID>"}, "transport":{"method":"webhook", "callback":"https://mydomain.com/channelpoints/callback.php?test=test", "secret": "<My Secret Key>"}}'

Having to use two tokens as you comment, I get a bit lost as the POST call only accepts one token at a time and I don’t know which one I should use. Thanks for the answer, I will read it more times to see if I clarify myself.

EventSub subscriptions are only created using an App Access Token

You just need to have created a user access token once you don’t even need to store it

EventSub checks if your clientID has had access to the resource you request. So you don’t need any user active access tokens on file (since a user token only lives for four hours anyway)

1 Like

In that case, the Creator / streamer user access token shouldn’t be stored for later use, it just needs to be authorized and that’s it?

Correct.

Unless you need to read/write from Helix.

Helix will need you to use the User Access Token

1 Like