More than one token for the same application

I’m making a Twitch Chat Client that also allows you to change your stream status, so I need an access token for these two features. At the moment I use Implicit Grant Flow to get a token, which is then stored locally.

When the same user has the Client on two computers and tries to get a token for the second installation, the first token is of course invalidated.

Solution 1

Getting a new token everytime isn’t really feasible, so I thought having more than one application registered on Twitch and letting the user select e.g. “Computer 1” or “Computer 2” could allow the user to have two valid tokens at the same time. Of course this isn’t very pretty and requires some understanding of the problem on the side of the user.

This would be relativly easy to implement, since the client id when requesting a token would just have to be replaced with the one the user selected.

Solution 2

On IRC it was suggested to use Authorization Code Flow, which would enable the Client to get the Code on each installation (should be the same everytime you request it) and then request a new token for every API call or IRC connection.

This of course would need a client secret and I’m not convinced that I can actually keep it secret, since it is a Desktop Application and thus it would be freely downloadable, even if it’s in obscured form (compiled in a Java class file). I’m also not very fond of checking/requesting a new token that often and it would be a lot harder to implement.


So the question is now…

  • Would registering more than one application on Twitch for the same actual application to be able to have more than one token at the same time be acceptable? I would suppose sending only one client id for making API calls would be preferred for rate limiting and such, unless authenticated calls with a token that wasn’t generated with the given client id would cause problems.
  • Would having the client secret in a freely downloadable Java class file be deemed secure enough?
  • And of course, does anyone have any other suggestions… :wink:


This thread is almost 2 years old and this is moot now, because you can generate several valid tokens for the same application/user now.

And I’d rather keep sensitive data like access tokens completely clientside. If I store it in a central database I have to make sure the tokens of potentially thousands of users are safe. I don’t even want to have access to any sort of login data or my users.