I am wondering if it is allowed to send tokens created with the Implicit Code flow to my server to verify that a user is logged in with twitch.
My (web-)application runs almost entirely within the user’s browser, but there is one endpoint on my server for which I want to make sure the user is actually logged into twitch. I don’t need to store any user data on my server (or make requests on the user’s behalf), I basically just want to have my server send the access token to the validate endpoint to make sure that they are logged in (to reduce spam on an unauthorized endpoint).
Is this sort of thing allowed? The way I understand it, the Implicit Code flow does not require a server to use the token, but the documentation does not state that it is disallowed to ever send the token to my own server.