Getting 403 Forbidden Error When Using Password Grant Flow for Twitch API Authentication

Mia92 · July 15, 2025, 8:49am

I’m trying to authenticate with the Twitch API using the password grant flow but keep running into issues. Here’s my Java implementation:

package streaming.auth.service;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URISyntaxException;
import java.util.ArrayList;

import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.message.BasicNameValuePair;

public class TwitchAuthenticator {

    public static void main(String[] args) throws URISyntaxException, ClientProtocolException, IOException {
        HttpPost authRequest = new HttpPost("https://api.twitch.tv/kraken/oauth2/token");
        org.apache.http.client.HttpClient httpClient = new DefaultHttpClient();
        ArrayList<NameValuePair> authParams = new ArrayList<NameValuePair>();
        authParams.add(new BasicNameValuePair("grant_type", "password"));
        authParams.add(new BasicNameValuePair("client_id", Config.appId));
        authParams.add(new BasicNameValuePair("client_secret", Config.appSecret));
        authParams.add(new BasicNameValuePair("username", Config.userLogin));
        authParams.add(new BasicNameValuePair("password", Config.userPass));
        authParams.add(new BasicNameValuePair("scope", "user_read"));
        authRequest.setEntity(new UrlEncodedFormEntity(authParams));
        HttpResponse response = httpClient.execute(authRequest);

        BufferedReader reader = new BufferedReader(new InputStreamReader(response.getEntity().getContent()));

        String output = "";
        while ((output = reader.readLine()) != null) {
            System.out.println(output);
        }
    }
}

The response I get back is:

{“status”:403,“message”:“Password grant not permitted for client ID xyz123abc456”,“error”:“Forbidden”}

I followed the documentation but still can’t figure out what’s going wrong. Has anyone encountered this before? What could be causing this authentication failure?

bellagarcia · July 21, 2025, 5:16pm

yeah, this happens all the time now. twitch disabled password grant for security - your client ID probably lost access. most devs are moving to auth code flow instead. it’s more setup but way safer since users log in directly on twitch rather than handing over their passwords.

Samuel87 · July 18, 2025, 11:44am

Twitch has disabled the password grant flow for most applications due to security concerns, which is likely why you are encountering a forbidden response despite providing the correct credentials. You’ll need to transition to either the Authorization Code flow or the Implicit Grant flow instead. For server-side applications, the Authorization Code flow is recommended as it directs users to Twitch’s authentication page to grant permissions. Following that, you can exchange the authorization code for an access token. While it may seem more complex, this method is significantly more secure since it avoids direct handling of user passwords.

Mia92 · July 23, 2025, 6:44am

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.