OAuth Authorization Code Flow for a chat bot: 401 invalid csrf token

Hello there,

I’m trying, through Postman, to enact the auth flow documented here.
However, even though the “state” parameter, a CSRF token, is marked as optional, it will give me 401 invalid csrf token with the following request:


so I go over to https://www.uuidgenerator.net/ , remove the dashes from the generated UUID and enter
a 32-character csrf token under state:


Nothing, still 401, invalid csrf token.
The docs example shows a GET, but if I do that on postman, I get an html response if I then try to click on the Preview button, the page is white and empty.

What could the issue be?
The end goal is to implement automatic token renewal for my chat bot application, so I need a refresh token in response.
The chat bot application is registered on dev.twitch.tv and has its own Twitch account to interact with the chat, but I’m accessing the dev.twitch.tv dashboard with my own account and that’s where I have the bot application registered. I am then, of course, trying to provide authentication for the bot itself with a simple postman call, but I can’t seem to get out of this hole.

Any help would be extremely appreciated, so thanks in advance!

Step 1 of oAuth is redirect the user to Twitch, you seem to be trying to use Postman to GET that URL instead.

You have to do this manually for your Chat bot initially/once.
Then refreshing can be automated, until the refresh token dies/is disabled for whatever reason

You seem to be using twitchapps generator not your own.

You seem to be trying to fetch the URI instead of redirecting the user, this will result in weirdness and the CSRF error as step 1 is redirect the user to Twitch.

Thanks Barry;

I have done the first step already, or at least I believed so:
I have been going over to https://twitchapps.com/tokengen/ and have been getting an oauth token by entering my bot(aka the user to redirect)'s client_id.
You’re teaching me, though, that Twitch’s https://twitchapps.com/tokengen/ is not good for that purpose? What does one typically do, expose an oauth generator page on his own domain?

I’m aware I have some confusion to say the least, thanks again for the prompt response.


that won’t work as that tokengen will only work/expects with it’s ClientID/Secret pair

I see, I’ve been using it to let the bot function, though: I’ve been going to the twitch tokengen, inputting the bot’s client_id, then making calls to twitch’s api with that oauth_token. But calling it directly with a post/get would need the tokengen’s own client_id; then what client_id do I need to call my own tokengen? :thinking:


implies you already have a ClientID you just need to go build an oAuth loop/token gen you own/control

1 Like

Maybe the flow I’m looking at isn’t the proper one; I just need machine-to-machine action, with my chatbot sustaining itself and querying hte twitch api for the channel_subscriptions scope. However, in the client credentials flow, no refresh token is retured, and there’s no offline_access scope I can enter.

Must I use the client secret to retrieve another access token whenever the token expires?

You can’t do machine-to-machine for a Chatbot.

Machine to machine tokens don’t represent a user.
Only users have channel subscriptions.

if you don’t get a refresh token back that type of token cannot be refreshed.

For App Access Tokens (machine to machine) you jsut go make a new token
For user access tokens, you should get a refresh token and can refresh, UNLESS
You did implicit auth, which also cannot be refreshed.

You are using the correct flow, but you need to paint the credentials once manually for the bot account

Which for the record is this flow:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.