This feels like a convoluted way to do this in PHP.
You most liekly do not need these four lines
CURLOPT_CAINFO => PATH_TO_CERT, // ssl certificate
CURLOPT_RETURNTRANSFER => TRUE, // return stuff!
CURLOPT_SSL_VERIFYPEER => TRUE, // verify peer
CURLOPT_SSL_VERIFYHOST => 2, // verify host
and here
// json decode response body
$apiResponse = json_decode( $apiResponseBody, true );
} else { // no headers response is json string
// json decode response body
$apiResponse = json_decode( $apiResponse, true );
}
you assume you get JSON, you might not have done
There is not HTTP Response code checking here either, so you didn’t test if you got a 4xx as apposed to a 2xx code.
This “PHP One Page” example might help you out
Specifically the stuff around line 49 for HTTP Response code checking
$endpoint = self::TWITCH_ID_DOMAIN . 'oauth2/token';
What is self::TWITCH_ID_DOMAIN set to?
Did you omit a / on the end and it tried to POST to https://id.twitch.tvoauth2/token in error?