Correct, EventSub only uses App Access Tokens.
No.
You have misunderstood what I have written, I think.
EventSub ONLY uses App Access Tokens.
If you want to subscribe to the channel subscriptions topics, for example:
- EventSub will take the App Access Token,
- Validate it
- Get the clientID from that token
- Look to see if the requested broadcaster has authorised that client ID to read subscribers.
Theres no user token invovled there.
But you need to have gotten a User Token with the relevant scopes from the user, even iif you never store/use that User Token, as otherwise the last step fails of EventSub setup, since you’ve never asked the broadcaster for access to their subscribers.
When creating a subscription to a topic, you only send the App Access Token.
The secret is made up by you and used to sign payloads from Twitch so you can verify that the payloads come from Twitch and not a bad actor. Since only you and Twitch will know this secret