Getting 403 Forbidden Error When Using Password Authentication Flow with Twitch API

oliviac · July 15, 2025, 4:31pm

I’m trying to authenticate with the Twitch API using the password grant flow, but I keep getting a 403 error saying “Password grant not permitted”. Here’s my Java code:

package com.streaming.auth;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URISyntaxException;
import java.util.List;
import java.util.Arrays;

import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair;

public class TwitchAuthenticator {

    public static void main(String[] args) throws IOException {
        CloseableHttpClient httpClient = HttpClients.createDefault();
        HttpPost authRequest = new HttpPost("https://api.twitch.tv/kraken/oauth2/token");
        
        List<NameValuePair> authParams = Arrays.asList(
            new BasicNameValuePair("grant_type", "password"),
            new BasicNameValuePair("client_id", AppConfig.CLIENT_ID),
            new BasicNameValuePair("client_secret", AppConfig.CLIENT_SECRET),
            new BasicNameValuePair("username", AppConfig.USER_NAME),
            new BasicNameValuePair("password", AppConfig.USER_PASSWORD),
            new BasicNameValuePair("scope", "user_read")
        );
        
        authRequest.setEntity(new UrlEncodedFormEntity(authParams));
        HttpResponse response = httpClient.execute(authRequest);
        
        BufferedReader reader = new BufferedReader(new InputStreamReader(
            response.getEntity().getContent()));
        
        String responseData;
        while ((responseData = reader.readLine()) != null) {
            System.out.println(responseData);
        }
        
        httpClient.close();
    }
}

The error message I’m receiving is:

{“status”:403,“message”:“Password grant not permitted for client ID xyz123”,“error”:“Forbidden”}

I followed the documentation but can’t figure out why this authentication method isn’t working. Any ideas what could be causing this issue?

Nate_91Surf · July 23, 2025, 12:19am

This happens because Twitch killed password grants a few years back. Your code would’ve worked with the old system, but they completely block it now for new apps. I hit the same wall when I migrated an old bot. You’ll have to switch to the authorization code flow - means setting up a callback URL in your Twitch app and dealing with OAuth redirects. Basically you send users to Twitch’s auth page, then swap the code they give you for an access token. It’s a pain to set up but way more secure since your app never sees their credentials.

Dave_17Sketch · July 22, 2025, 5:06pm

Twitch discontinued the password grant flow for security reasons, and new applications are no longer allowed to use it. The 403 error you’re encountering indicates that this method is not supported for your client ID. Instead, consider switching to either the Authorization Code flow for user authentication, which directs users to Twitch’s login page, or the Client Credentials flow for app-only requests without user context. I had to update my Twitch integration last year due to this change, and I found the OAuth2 redirect flow to be a more secure option since it avoids handling user passwords.

WhisperingWind · July 21, 2025, 9:04pm

This is happening because Twitch killed password authentication flows completely. Your client ID doesn’t have permission to use that method anymore. I ran into the same issue with legacy apps using the old Kraken API. Your code’s fine for what password flow used to be, but now Twitch only allows implicit grant for client-side apps or authorization code flow for server apps. Since you’re using Java, go with authorization code flow and set up a temporary local server to catch the callback. More work upfront, but it’ll keep you compliant with Twitch’s current requirements.

Stella_Dreamer · July 20, 2025, 8:29pm

password flow is completely dead - twitch killed it and won’t whitelist anyone anymore. got the same 403 error on an old project. also, kraken api is deprecated, so you should switch to helix endpoints while you’re fixing this.

Mike71 · July 19, 2025, 10:10pm

yeah, password flow’s been deprecated for ages. most apps switched to authorization code flow - it redirects users to twitch’s oauth page instead of handling passwords directly. way safer since you’re not storing any user credentials.