Getting 403 Forbidden error when trying to authenticate with Twitch API using password flow

SwiftCoder15 · June 22, 2025, 11:36am

I’m trying to connect to the Twitch API using Java but keep getting a 403 error saying password grant is not allowed for my client ID. Here’s the code I’m using:

package streaming.auth.handler;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URISyntaxException;
import java.util.ArrayList;

import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;

public class TwitchAuthenticator {

    public static void main(String[] args) throws URISyntaxException, ClientProtocolException, IOException {
        HttpPost authRequest = new HttpPost("https://api.twitch.tv/kraken/oauth2/token");
        org.apache.http.client.HttpClient httpClient = new DefaultHttpClient();
        ArrayList<NameValuePair> authParams = new ArrayList<NameValuePair>();
        authParams.add(new BasicNameValuePair("grant_type", "password"));
        authParams.add(new BasicNameValuePair("client_id", Config.appId));
        authParams.add(new BasicNameValuePair("client_secret", Config.appSecret));
        authParams.add(new BasicNameValuePair("username", Config.userLogin));
        authParams.add(new BasicNameValuePair("password", Config.userPassword));
        authParams.add(new BasicNameValuePair("scope", "user_read"));
        authRequest.setEntity(new UrlEncodedFormEntity(authParams));
        HttpResponse response = httpClient.execute(authRequest);

        BufferedReader reader = new BufferedReader(new InputStreamReader(response.getEntity().getContent()));

        String responseData = "";
        while ((responseData = reader.readLine()) != null) {
            System.out.println(responseData);
        }
    }
}

The error message I get is: {"status":403,"message":"Password grant not permitted for client ID xyz123abc","error":"Forbidden"}

I followed the documentation but it still doesn’t work. What could be causing this issue?

DancingButterfly · July 2, 2025, 12:03am

Twitch deprecated the password grant flow, which is why you’re encountering the 403 error. This change was made for security purposes, as handling user passwords directly poses risks. You’ll need to transition to either the Authorization Code flow or the Client Credentials flow for your application’s authentication needs. For user authentication, I recommend using the Authorization Code flow, as it redirects users to Twitch’s login and returns an authorization code. If you only require app-level access without user data, the Client Credentials flow will suffice. I faced a similar situation last year when updating an outdated project, and while switching to the Authorization Code flow requires proper redirect handling, it’s manageable.