In an effort to standardize authentication and provide security improvements for the Twitch community, OAuth will soon be required for all Twitch API endpoints in the new Twitch API, also known as “Helix.” The goal of this announcement is to provide a timeline, full details of this new requirement, and answer a few anticipated questions. Please feel free to add further questions via the comments below and we appreciate your feedback during this process.
Starting on April 30, 2020, Helix will require the following:
- Use of OAuth across all endpoints, either via an app access token or user access token.
- The client ID provided in the corresponding header must match the client ID used to generate the OAuth token.
Here is a sample request to show the headers mentioned above.
curl -H 'Authorization: Bearer cfabdegwdoklmawdzdo98xt2fo512y' \ -H Client-ID: uo6dggojyb8d6soh92zknwmi5ej1q2' \ -X GET 'https://api.twitch.tv/helix/users?id=44322889'
Why is Twitch making these changes?
As part of our goal to provide a unified high-caliber API experience to developers, we are providing a more consistent and controlled means of access to the Twitch API.
How will this affect Extensions developers?
Existing Extensions submitted for review on or before January 31, 2020 can continue to use any Helix endpoints as-is until June 31, 2020. These Extensions will need to be updated and adhere to the new OAuth requirements above by this date. New Extensions submitted for review on or after February 1, 2020 will need to use OAuth to access any Helix endpoints.
We are actively exploring methods to allow Extensions to have some of the same functionality developers currently have through the front-end without an OAuth token. It is currently in ideation stages and we will have more information before the date in June.
Where can I learn more about the use of OAuth on Twitch?
Please refer to the Authentication section of the Twitch Developer documentation.
What happens if I don’t pass an OAuth token in my API request?
You will receive a 401 error in response noting that you must pass a valid OAuth token.
What happens if the client ID in the header of my request does not match the client ID in my OAuth token?
You will receive a 401 error in response noting that your pair of client IDs do not match.
My application does not currently make use of an OAuth token to access the Twitch API. What should I do?
We recommend passing an app access token within your request or a user token for a request made on behalf of a Twitch user. In addition to the authentication documentation, you can learn more about these options in our blog post entitled Authentication: Understanding Which Protocol and Flow is Right For You.
We also recommend that you do not use an app access token in your frontend development. This should be handled by a back-end server for the security of your application.
How will this change the Twitch API rate limits?
The Twitch API rate limits are currently based on either IP address for unauthenticated requests or OAuth tokens for those requiring authentication. After these changes, access to the API will only be available via OAuth tokens and rate limits will no longer be based on IP address…
As mentioned, please provide any questions you may have below; we appreciate your feedback related to this authentication change.