Get Followed Streams - invalid oauth token problems

Is giving me head-ache if anyone could help me figure it out - I would be deeply thankful!

I’m calling everything from my backend - so I figured I need
OAuth Client Credentials Flow which is app access token for server-to-server API requests (am I right here? If not - which else should I choose?)

First I created an application - got Client ID and Client Secret from it.

Then I created the following function

function getOAuthID(){
    $url = '';

    $options = array(
        'http' => array(
            'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
            'method'  => 'POST',
    $context  = stream_context_create($options);
    $result = file_get_contents($url, false, $context);
    $resultArray = explode('"', $result);
    return $resultArray[3];

As I’ve read I need the scope: user_read - which I put in params.

Then I proceeded to create a php curl request as instructed for Get Followed Streams guide -

$url = '';
$clientID = 'xxxx';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Accept: application/vnd.twitchtv.v5+json',
    'Client-ID: '.$clientID,
    'Authorization: OAuth '.getOAuthID()
$response = curl_exec($ch);

Where I get following response…

{"error":"Unauthorized","status":401,"message":"invalid oauth token"}

But I checked the status of my OAuth on
and got back feedback:


I’m lost here… Anyone has any idea that could help me out - even some suggestions what to try?

Could it have anything to do with my access token being

You’re using the wrong type of token.

The API endpoint you’re using gets the list of followed streams based on the user associated with the OAuth token. App Access Tokens don’t have a user associated with them as you’re not sending a user through the OAuth flow asking them to explicitly grant the required scopes.

Use the Authorization Code Flow and this will get you a User Access Token, which will let you access endpoints requiring permissions to be given by that user.

Thank you very much sir - was thinking it would be the wrong token… I figured it out thanks to you :slight_smile:

Cheers and big big thanks!

May I bother you 1 more thing - perhaps if you have knowledge - The code that you get by accepting the Authorisation - is that valid indefinitely?

I was only successful on getting OAuth access token only once - now I’m getting a 404 page - should I extend validation on this OAuth access token that I got since it has expiration date right?

Thanks in advance,

An oAuth token will return an expires_in the token will expire that many seconds after you have recieved a payload.

You can also use the validate end point

To get this data

Thank you for the link Barry - so the logic of continuously retrieving data would be;

// Do one time

  • create OAuth access token once

// start the loop

  • validate the token (regularly?)
  • retrieve the data of current streamers online
    // end loop

This will prevent Twitch from punitive action, such as revoking my developer’s API key or throttling the application’s performance?

It’s not the validation that you need to do regularly, that just checks if it’s still valid or not.

The code you get from the OAuth process is single use, but what you receive as well as the Access Token is a Refresh token. This refresh token can be used get a new Access Token and Refresh token as explained here:

User Access tokens last roughly 4 hours, so if you need to have a valid token at all time you can just go through that refresh process a little more frequently than 4 hours, or if you don’t need an access token valid at all times you could go through the refresh process only when you need to.

As for throttling or anything like that it shouldn’t be a concern if you use the API sensibly. For example all endpoints use caching, so if you’re wanting to repeatedly check the same endpoint then once a minute is considered the standard minimum interval.

I was thinking about checking the same endpoint once per 5 minutes - so I guess that interval would get me under the 4 hour expiration time and away from standard minimum interval :slight_smile:

Thanks to both of you - I got a lot of knowledge that I failed to obtain through searching the forums/googling. I made some productive changes to the code base today - thanks to the information I gathered here!


If/when the token dies.

You can refresh the token to get a new access token

as documented

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.