Sent JWT off site to your EBS, the EBS can then cross check with the viewer list for the channel. No authenticated calls needed.
Or the Extension can fetch the viewerslist itself and compare, but I wouldn’t recommend that.
You would need to perform your own authentication/oAuth loop in order to get a key, this would work best with Implicit auth since an extension is pure client side. But you don’t know what the Redirect URL needs to be.
So you’d need to route this via your EBS, to jump/skip the authentication back to the Extension Client.
Or you do normal auth via a bounce to your EBS and proxy any requests from your extension via the EBS.
TLDR: It’s not easy to do authed called in an extension pure client side due to the need to protect secrets and the fact that you don’t know the redirect URL for the frontend