Using OAuth authorization code flow to get moderators of a channel

I already fetched datas from a few endpoints (Get Streams, Get Channels) and it works perfectly,

But now I want to get the moderators of a channel (docs https://dev.twitch.tv/docs/api/reference#get-moderators, and I need to use the OAuth authorization code flow (docs https://dev.twitch.tv/docs/authentication/getting-tokens-oauth#oauth-authorization-code-flow),

I understand how to do it and it works (the popup where the user accepts the permission), but does the user needs to get the popup everytime he goes on the page that fetchs moderators datas ? Is there not another way ?

Normally, you would ask permission from the broadcaster once, then store the keys in a database.

Then use the keys in the database until those keys (and the refresh token dies)

You can gate access to your site however you want. but yes if you are using Twitch Auth, to log a user into yoru site to then use that site to view the moderators, then you’ll probably need to go thru the oAuth flow. With force_verify off you won’t get a accept dialog (but stil need to run thru the flow)

So it really depends here what you are actually doing with would allow us to suggest what to do.

TLDR: if your site uses Twitch to login to the site, then you’ll need to authenticate/oAuth whenever the session is no longer valid.

I would like to avoid using a database, do you think when I get the code in the URL after the user got redirected with the popup, I can put the code from the query in URL in localStorage and encode it until it expires ?

And then everytime the user comes in the page that fetches data, if the token has expired, I redirect him to the twitch popup, else I do the request with the token in localStorage

If you encode it, how do you use it? As if it’s encoded then you have to be able to decode it to use it.

Then every time you want to look at the moderator list you’d have to load from the API. Which can introduce latest on duplicate loads.
Generally, depending on why you need this, you’d load once from the API then use EventSub to track moderator add/remove (and periodically full recache fro mthe API)

When using oAuth the ?code is a one use code that is used to exchange for an access token, so storing the code is useless.

However, yes you can store the generated access token (if using regular oAuth), of the returned #access_token in local storage if you want, and then use that until it expires, that is a form of ssession management that would work.

It’s also perfectly valid to store the users own token on their own machine.

Ok, I’m gonna try a few things, and about the ?code in the URL, I can remove it from the URL when the user gets redirected ? Because I find it ugly to have this long URL everytime the user comes in this page

Sure, after getting the ?code and exchanging the code for an access token, store the access token in local storage then redirect to your home page/whever you want.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.