-
So don’t log out the user then if they are still logged in via other valid means?
-
You don’t need to continually validate tokens, only when they are using your site. It doesn’t matter if a token is invalid when they are not active on your site.
Yes, the tokens will stop working when the user revokes access, but this isn’t about using access tokens to access API stuff, it’s about using Twitch’s OAuth process to log a user in to your site, so if you’re doing JUST logins, and not accessing the API then without validating the token you would have no idea if the user has revoked the token or not, and due to session cookies they may still be using your site when you should be sending them back to the login screen (unless they’ve also logged in with a non-Twitch OAuth process, in which case how you handle that is up to you).