The redirect URLs from your initial authorization request and the redirect set up for your developer application have to match exactly. You shouldn’t need to detect if the user is coming from Twitch at all. A fake code won’t allow API requests through when passed into the Authorization header for those requests.