Removed the refresh token
ClientID’s are public
ClientSecret, oAuth Tokens, and Refresh tokens are not and should be securet
This is very very wrong
--data-urlencode tells you what/how to format the data when using cURL it doesn’t become part of the URL.
$ch = curl_init('https://id.twitch.tv/oauth2/?grant_type=refresh_token&refresh_token=REMOVED&client_id=CLIENT&client_secret=SECRET');
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
print_r($response);
But this only works if you have a refresh token to use, which I don’t think you do.
You should generate and use an App Access Token/Client Credentials for this