They’re not POSTFIELDS, they’re GET parameters, even though it is a POST request. The body is just empty.
$fields = array(
'client_id' => 'p4axx80zlzi6t3kwc79ri3uu3kqpqi',
'client_secret' => 'ihopethiswasntyoursecret',
'grant_type' => 'authorization_code',
'redirect_uri' => 'https://developer.kactus.xyz/freelance/lirk/staging/form', //Not my actual url
'code' => $_GET['code']
);
$url = "https://api.twitch.tv/kraken/oauth2/token?" . http_build_query($fields);
You do not need to use the state parameter, but it’s recommended. It’s simply echoed back to you so you can save data across an authentication that way and verify it was your website that initiated the auth request.
$_GET[code]
if code is defined, that’s going to not do what you want, use a string explicitly. (I believe PHP logs a notice for this)