You are doing nothing wrong.
This is HOW oAuth works.
- You send the user to Twitch,
- They accept the connection (or decline)
- If accept then then get redirected to your website and you get a
codein the URL as a query string paramater
The Code is a one use string that you use to exchange for an access token.
It’s useless to anyone else and is not considered a “secret” that needs to be hidden.
That ?code= is not an access token.
If you were using implicit auth you get a #access_token and you don’t need to really hide that as it’s the users own token.