The lambda is only communicating to id.twitch.tv, the calls to api.twitch.tv are executed from the extension (I know that it can induce some security issue where the token generated for my extension could be used by other people but I count on CORS to protect my Lambda from being accessed by other services).
Well the problem is that I have thousand of users that uses my extension (so there is a lot of token issued). I know that client credentials is not the best OAuth flow for what I’m doing but I don’t want the user to authenticate themselves on the extension (authorization grant, implicit, …), it’s supposed to be a simple extension that read only public information (is a streamer on or off)
From what I’m understanding of your answer, I supposed I should create an intermediate API that handles the authentication through client credentials and then forward the response of the request of api.twitch.tv/helix/streams.
Thanks for your answer