channel_read scope, from documentation:
Read access to non-public channel information, including email address and stream key.
So if the token were compromised, the person who compromised the token would have the broadcasters email address, and the ability to stream (using OBS, XSplit or similar) on the broadcasters channel. Which means somebody malicious could stream something against TOS (IE: porn) and get the users account banned (either temp or permanently).
I’m not making claims that it will happen, just to be aware as a developer that what you do needs to be done with care, and try to make things as safe as possible for your users, who, when they give you OAuth tokens, are placing trust in you to keep those tokens secure.
The main way to steal cookie data is CSRF and XSS (Cross site request forgery, and cross site scripting) - Both are things you should read up on if you’re just learning.
A machine key is just a GUID assigned to a users computer, there’s nothing particularly special about it, but you can read up on it.
Also be sure to always use tried and true, vetted encryption algorithms. Your purpose is to supply salt keys to encryption routines, not roll your own encryption. (Salt is a technical term, google ‘Encryption Salt’ if you want to learn more)