Sounds like you found a security bug that has now been resolved.
This sounds like the same bug I found and reported late last week. Since you shouldn’t be able to read anyone’s hypetrains without prior permission.
You can use an app access token if the user has authenticated/permitted your clientID with the scope once.
So I can use my app access token to read cohhcarnage’s hypetrains as he has authorised me once with a user token with the needed scope
But I can’t use my app access token to read lirik’s hypetrains as he has not authorised me once with a user token with the needed scope
It only lets you read channels that you have permission from
As follows:
- You use an app access token
- twitch checks if the token is valid
- twitch gets the clientID for that token
- twitch checks if the requested channel has granted
channel:read:hype_trainscope via the user oAuth flow
Basically the same auth flow as how eventsub works.
TLDR you found a security bug, which has now been fixed.
However currently looks like App Access Tokens do not work at all. Even with prior authentication.