Scopes are applied to the URL that users click to provide an access token to grant access to their account.
Your code generates an app access token/client credentials which (generally speaking) is only good for “public data”
So to get private (scoped) data, you need to get permission from that user.
Which involves the following steps:
- send the user you want to access on behalf of to your webpage.
- user clicks a link that takes then to twitch with the scopes in the request
- user accepts (or decliens) their account linking to your clientID
- user comes back to your site with a
?code=you exchange the code for an access (and refresh token)
You now have a scoped user access token.
see also
Docs: Getting OAuth Access Tokens | Twitch Developers
PHP Example: twitch_misc/authentication/user_access_generator/php at main · BarryCarlyon/twitch_misc · GitHub