When making a server token.
I’m assuming this is on an EBS.
You can obtain the channelID the extension was called from, by passing up the JWT token from your frontend to the backend.
As the JWT will contain the channel_id, and since you verified the JWT you know for sure the channelID that the extension was loaded up on.
Example EBS: https://github.com/BarryCarlyon/twitch_profile_extension/blob/main/ebs/server.js#L140
This Example EBS intends to lookup the user that is logged into the extension, but the channelID is also in the verified JWT.
So for a “server”, if the extension is allowlisted to one channel, you can hardcode the channeID, having used the users API to convert a login to an ID.
But if it’s intended to work on multiple channels, you can extract the channelID from JWT or depending on the data you are relaying to the frontend from the backend use the “all”/global topic.
So if your frontend extension passes up the JWT you only have to pass up the JWT, not multiple bits of data, and the JWT can be verified and the channelID known for sure.
The ChannelID obtained from onAuthorized, should only be used in the frontend and not passed to the backend, since people could modify the data. So you should extract the channelID from the JWT from a security persepctive.
See also the JWT Schema docs