Valid OAuth token with bits:read scope required

geraltofzero · August 8, 2018, 7:43am

I want to get it through New api for Bits Leaderboard,and it need " Authentication Required scope: bits:read".
I try to do:

curl -X POST “https://id.twitch.tv/oauth2/token?client_id=a5l705mhq23b6qgshw7tehhmrpekx4&client_secret=4vqpm1ah0ohqwvrhot6pg8zeozd4l7&grant_type=client_credentials&scope=bits:read”

{“access_token”:“ve282j73b2hd6fmnfkr2re2t3nztta”,“expires_in”:5146367,“scope”:[“bits:read”],“token_type”:“bearer”}

curl -H “Authorization: OAuth ve282j73b2hd6fmnfkr2re2t3nztta” https://id.twitch.tv/oauth2/validate

{“client_id”:“a5l705mhq23b6qgshw7tehhmrpekx4”,“scopes”:[“bits:read”]}

it tell me the access token is ok ,but:

curl -H “Authorization: Bearer ve282j73b2hd6fmnfkr2re2t3nztta” -X GET “https://api.twitch.tv/helix/bits/leaderboard?count=2&period=week”

{“error”:“Unauthorized”,“status”:401,“message”:“Valid OAuth token with bits:read scope required”}
I do not know why,thanks for answer.

BarryCarlyon · August 8, 2018, 8:59am

Never ever post your Bearer token publically. Please revoke this key immeditely

You requested client_credentials, which as per the docs

Is an authorisation for your Application/Server/ClientID/Not a Person

As mentioned earlier, app access tokens are only for server-to-server API requests. The grant request below requires the client secret to acquire an app access token; this also should be done only as a server-to-server request, never in client code.

To follow up:

Authenticate your app and allow it to access resources that it owns. Since app access tokens are not associated with a user, they cannot be used with endpoints that require user authentication.

You requested an oAuth for your “application” and your “application” doesn’t have a bits program.

You need to do, OAuth Authorization Code Flow:

To get a User Authorization

geraltofzero · August 8, 2018, 1:38pm

Thank you,but I have a new problem.when I do:
curl -X GET “https://id.twitch.tv/oauth2/authorize?response_type=code&client_id=ckuuado6ptj1vkb1t3fc1e6rhn4sji&redirect_uri=http://localhost&scope=bits:read”

It reminds me that “oauth_request=false” and no return code.
Found.

BarryCarlyon · August 8, 2018, 1:41pm

You need to redirect the User to this URL in order to authenticate.
You should not perform a cURL fetch upon it.

geraltofzero · August 8, 2018, 2:16pm

Thanks.I don’t know users means,is the person who I want to collect information from？ I just want to collect information about score and broadcasters from New Twitch API. It requires “Authentication Required scope: bits:read”.So I do not know why redirect users to URL.And the docs’s example used curl.

BarryCarlyon · August 8, 2018, 2:18pm

In order to get information about the streamer cohhcarnage, cohhcarnage needs to have authenticated. If you authenticate as yourself, you cannot get cohhcarnage’s bits leaderboard.

You need to perform an oAuth dance with the person you wish to obtain the bits leaderboard for. So you give that person/streamer your webpage, and then they go off and authenticate and then you have a access token to use

system · September 7, 2018, 2:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.