Okay. If you’re really worried about people hand-crafting Twitch OAuth queries (which requires them knowing your OAuth callback url in advance) and doing legitimate Twitch signins just to get their details in your database without installing the extension… Then just use the optional ‘state’ parameter in your OAuth calls, which is in the authentication docs guide, and is there to solve this exact issue. Get a token from your EBS before you create the OAuth link, or just send the JWT.
1 Like