Issues with chatbot API Authentication

Hello, I’m using my own chatbot, running in node.js. I managed to connect to the chat room through IRC (using tmi.js). However, I have issues with authenticating to twitch api. I’ve read the docs several times already, I’ve successfully registered my app as chatbot and got the client-id.

However the issue is, I can’t really understand what’s the right way to authenticate to Twitch API, when the only twitch account I’ll be using in my node.js server (it’s not really an app, just a server doing requests and reacting to messages) is my own - where I have moderator role in the chatroom I’m connecting to. I understand that I need: 1. access token 2. client id and sometimes also 3. client secret.

But all of the authentication flows, for example the OAuth authorization code flow revolve around the redirect_uri and scope query-string parameters. I don’t understand this:
**1)** Send the user you want to authenticate to your registered redirect URI. Then, an authorization page will ask the user to sign up or log into Twitch and allow the user to choose whether to authorize your application/identity system.

why do I have to specify some redirect_uri, when I don’t have any frontend? I don’t want to authenticate any other users, just my bot’s twitch account. And the next thing is specifying scopes - do I really have to specify all the scopes? What should I do when I just want to have access to every “scopes” (permissions) I have?

Thanks a lot for any answers, because I’m really confused.

If you have connected to chat as a chat bot

Then you already have a valid token to use against the Twitch API.

And you already did the oAuth flow to get a token.

So not sure what the problem is?

You already built webpage to get a token for the bot. And you already have a token!

(Just trying to figure our where you are having an issue, since with a working bot you should already have everything you need)

Yeah, you are right, I’ve been following twitch chat bot tutorial and I’ve used this to get my oauth token:

OAUTH_TOKEN	
The token to authenticate your chatbot with Twitch's servers. Generate this with https://twitchapps.com/tmi/ (a Twitch community-driven wrapper around the Twitch API), while logged in to your chatbot account. The token will be an alphanumeric string.

So currently, I just got a string which I pasted into the code as constant.
But when I followed the docs, there is a lot of information about authentication and there is the thing about how tokens should be refreshed etc., I don’t really do anything with authentication in code.

So let’s say that I want to request all banned and timed-out users for a channel.

Did I get all possible scopes available to my account? For example moderation:read·?

The IRC guide is a common pain point for new developers, it throws you to the third party token generator rather than teaching you how to autheticate. Generally you shouldn’t rely on someone elses generate as the generator could disappear at any moment and then your token is poof/gone.

Hence your “I’m stuck” since you started running before you could walk.

And Every 60 days you’ll need to manually do it all over again. (As you have generated an implicit auth token) And you might not notice the downtime in your system until you’ve been down for a while…

So, Lets start at the beginning:

Twitch uses oAuth to Grant access to between a user account and a ClientID.
User oAuth will involve sending the user to a website you control, to click a link and choose to allow (or disallow) access to the account.
That link will specify the permissions (aka scopes) that you need

For regular user oAuth flow:
The user then returns to your website with a ?code in the URL
You then exchange the ?code for an access token and a refresh token.

You can then use that Access Token to access Twitch until the token expires.
When the token expires you then use the refresh token to get a new access token (and possibly a new refresh token)

So, you would collect the access token and refresh token into a storage system (flat file or database)
And refresh as needed.
If the refresh dies then you’ll need to manually seed the system with a new token.

With the flow you have used (someone elses generator), this is known as Implicit Auth. this generates an #access_token but it cannot be refresh.

Currently a Twitch Regular User token is valid for four hours. But you can refresh it forever. In the context of a chat bot you only need the token to be valid when the bot initially connects to chat.

The implicit/always manual token is good for 60 days. But you’ll need to manually make a new token.

There is a third type of token (App Access) which is only useful to read public data so we won’t cover that in this post.

So what you need to do, is add to your nodeJS app (since you mentioned you are already using node) a web page that creates the outbound <a href with the scopes you need.
That nodeJS app will need to provide a webserver (running on whatever port since we are using localhost here). The TwitchCLI for example uses http://localhost:3000 so you could do the same.

I have written a nodeJS example for user authentcation that may help you out

This code example will cover how to generate a token. But not storage or refreshing of that token. The Exmaple just holds the token in session memory.

And the documentation for this kind of auth is here

Scopes/permissions are covered

And refresh here, which is just a “simple” HTTP Post Request

1 Like

Thank you very much, that answered my question.

I still really don’t understand the need of web page to authenticate. I understand when you have an application which has other users, for example Nightbot, Betterttv etc., but it seems strange to have to create a web page just to authenticate my own account.
I’ve never meet with something like that. But that doesn’t matter, I just thought that I’m doing something wrong before.

The last thing I still don’t understand in this concept is this:

So in my case, I aim to fully automatize the authentication flow - but even though I will have to click a button to allow access? Sorry if I misunderstood you again.

That just how oAuth works.

Sure you can go “here is a link visit the link”
Then manually copy/paste the ?code that is returned into your Command Link App
And do the exchange that way (saves raising a server)
But step one is always gonna be “go to this URL in your browser” for oAuth.

A ClientID doesn’t magically grant all priviledges between the ClientID and the Owner of the ClientID’s account.

You can’t, you will need to do it manually (at least) once

The following you can automate:
Then you can use the Token till it dies
Then use the refresh token to get a new tokem

But IF the refresh fails or is invalid, then you have to manually make a new token.

So yes, you need to click the button to allow access manually. Then whenever the refresh token is dead and you need to feed it new tokens. Theres also a few other things that will kill a refresh token.

1 Like

Ok. I don’t really have any previous experience with oAuth - that’s why I was confused.
Thanks a lot for your time and helping me.
I will try to implement this later. After all I’m not sure if manual token refreshing wouldn’t be easier in my case, because all of this isn’t so trivial.