I have spent a lot of time on this already, but can’t find any definite answer. I’d appreciate a lot, if somebody could clear this up.
I’m writing a chatbot in PHP. I’m supposed to be using a password for IRC login that is an OAuth access token in a format like this: oauth:abcdef123456ABCDEF
Is there no way the bot code can get this for themselves? In the past I’ve had these access tokens expire and the bot disconnect. How is this supposed to work? I always get a new token in the browser and have to update the bot config?
I have working code that can get an access token with correct scopes via the Client Credentials flow. But it is no good for connecting to IRC apparently (as I have learned in this post)
I’d like to automate the process if I can. I have registered my bot as an app and have client_id and client_secret to use with OAuth. I can’t be the only one wanting to do this.
If anybody has some better info on this than the official docs, I’d very much appreciate it!
How do apps like Nightbot do this? Do they actually have somebody generate these codes by hand and paste them?
Step 1 of User oAuth requires you to manually grant access between the bot account and the ClientID via a web browser.
Once you have done this, you can then use the refresh_token to automate getting a new token.
As long as the refresh_token remains valid, you can use it to get a new access token, you may get a new refresh token returned when you refresh.
Thats just for “quick start”/testing and you really shouldn’t use it in production, it generates a non refreshable Implict Access Token, which is no good for bots to auto remain connected
A Client Credentials token, as linked, doesn’t represent a user, so cannot do user actions, such as login to chat to read/write.
Night will have autothorised NightBot to NightBot’s application, once via a browser, then night will use nightbot’s refresh token to regenerate an Access Token as needed.
And then if the refresh token dies, Night will reauthorise the account manually.
A bots token is only checked when the bot starts/re/connects to chat, so you’ll only need to refresh when (re)connecting to Twitch, (and the bot can use a client_creds total internally for uptime checks etc)
It is still weird to me that a server-side application, such as a chat bot, requires this browser-based step to get startet, but at least with your help I got it to work.
I’m caching the access and refresh tokens in a config file, so I don’t have to refresh on every reconnect attempt of the bot. But in case the access_token is rejected, the bot can now request a refresh on its own.
To Twitch a “chat bot” is just a user account, it’s not marked “specially” as a bot.
So currently you can’t just get a token as the account is no different to a user, hence the manual browser step.
Usually an access token is only valid for around four hours, so I don’t bother trying the access token, when my bot (re)starts it just uses the refresh proceedure and I don’t bother storing the access token beyond using it to login to chat. (As in most cases my bot’s don’t restart sooner than four hours anyway)
That seems a good practice. As a beginner, I found it challenging to get access_token at all, so once I had one, I valued it a lot. But it now seems the refresh_token is the actually valuable one. Great tip!