Issues with Twitch OAuth Authentication Implementation

Alex_Thunder · June 6, 2025, 4:57am

I’m currently facing challenges while trying to implement Twitch OAuth for user login in my web application. I adapted some example code I found online, but it seems something isn’t working correctly.

The issues appear to arise around the section checking the HTTP response with if ($response['http_code'] == 200). I’m not completely sure what’s wrong. Here’s the part that’s causing confusion:

if ($response['http_code'] == 200) {
    $token_data = json_decode($response_body, true);

    // retrieve user info
    $user_curl = curl_init('https://api.twitch.tv/kraken/user');
    curl_setopt($user_curl, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($user_curl, CURLOPT_HTTPHEADER, array(
        'Accept: application/vnd.twitchtv.v3+json',
        'Client-ID: ' . $app_id,
        'Authorization: OAuth ' . $token_data['access_token']
    ));
    $user_response = curl_exec($user_curl);
    $user_info = curl_getinfo($user_curl);
    curl_close($user_curl);

    if ($user_info['http_code'] == 200) {
        $user_data = json_decode($user_response);
        echo '<p>Welcome back ' . $user_data->display_name . '!</p>';
        // USER AUTHENTICATED SUCCESSFULLY
    } else {
        echo '<p>Something went wrong, please try again</p>';
    }
}

Here’s my entire code:

$app_id = 'YourAppID';
$app_secret = 'YourAppSecret';
$callback_url = 'http://yoursite.com/callback';

if ($_GET['code']) {
    $oauth_url = 'https://api.twitch.tv/kraken/oauth2/token';
    $post_data = array(
        'client_id' => $app_id,
        'client_secret' => $app_secret,
        'grant_type' => 'authorization_code',
        'redirect_uri' => $callback_url,
        'code' => $_GET['code']
    );

    $ch = curl_init($oauth_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

    $response_body = curl_exec($ch);
    $response = curl_getinfo($ch);
    curl_close($ch);

    if ($response['http_code'] == 200) {
        $token_data = json_decode($response_body, true);

        $user_curl = curl_init('https://api.twitch.tv/kraken/user');
        curl_setopt($user_curl, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($user_curl, CURLOPT_HTTPHEADER, array(
            'Accept: application/vnd.twitchtv.v3+json',
            'Client-ID: ' . $app_id,
            'Authorization: OAuth ' . $token_data['access_token']
        ));
        $user_response = curl_exec($user_curl);
        $user_info = curl_getinfo($user_curl);
        curl_close($user_curl);

        if ($user_info['http_code'] == 200) {
            $user_data = json_decode($user_response);
            echo '<p>Welcome back ' . $user_data->display_name . '!</p>';
        } else {
            echo '<p>Something went wrong, please try again</p>';
        }
    } else {
        echo '<p>Authentication failed, please try again</p>';
    }
} else {
    $permissions = array(
        'user_read' => 1,
    );

    $scope_string = '';
    foreach ($permissions as $permission => $enabled) {
        if ($enabled) {
            $scope_string .= $permission . '+';
        }
    }
    $scope_string = rtrim($scope_string, '+');

    $login_url = 'https://api.twitch.tv/kraken/oauth2/authorize?response_type=code';
    $login_url .= '&client_id=' . $app_id;
    $login_url .= '&redirect_uri=' . $callback_url;
    $login_url .= '&scope=' . $scope_string;
    $login_url .= '&force_verify=true';

    echo '<a href="' . $login_url . '">Click here to login with Twitch</a>';
}

Can anyone assist me in identifying the issue? I’m still learning PHP and the Twitch API documentation can be quite confusing.

Oscar64 · June 17, 2025, 6:57am

Just went through this exact headache about six months ago when I was building my first Twitch integration. The main problem you’re running into is that you’re using the deprecated Kraken API endpoints. Twitch shut down most of the v3 Kraken API functionality and you need to switch to the Helix API instead. Replace https://api.twitch.tv/kraken/user with https://api.twitch.tv/helix/users and change your authorization header format from Authorization: OAuth to Authorization: Bearer. Also update your Accept header to remove the v3 reference entirely. The token endpoint should also be updated to https://id.twitch.tv/oauth2/token instead of the kraken one. Once I made these changes my authentication flow worked perfectly. The error responses you’re getting are likely 410 Gone or similar deprecation errors from the old endpoints.

Dave_17Sketch · June 15, 2025, 6:50am

Had this same problem when migrating an old project last year. Your code is trying to use the legacy Kraken API which has been deprecated for quite some time now. The https://api.twitch.tv/kraken/oauth2/token endpoint still works for getting tokens, but the user endpoint https://api.twitch.tv/kraken/user is completely dead now. You need to update your user info request to use https://api.twitch.tv/helix/users and change the authorization header to Authorization: Bearer instead of Authorization: OAuth. Also drop that Accept header with the v3 reference since Helix doesn’t use it. The response structure is different too - user data comes back in a data array, so you’ll need $user_data->data[0]->display_name to get the username. Most authentication issues I see nowadays are from people still using outdated Kraken endpoints.

joec · June 14, 2025, 3:27pm

Ran into this exact situation when I was debugging a client’s integration that suddenly stopped working. Beyond the API endpoint issues others mentioned, there’s another common gotcha that might be causing your authentication failures. Check if you’re properly validating the JSON response before trying to access the access_token. I’ve seen cases where the token request appears to return a 200 status but the response body contains an error message instead of valid JSON. Add some error checking after your json_decode call - something like checking if $token_data is null or if it contains an error field. Also make sure your redirect_uri in the token request exactly matches what you registered in your Twitch application settings, including trailing slashes and protocol. Small mismatches there will cause the token exchange to fail even if the initial authorization worked fine.

Alice45 · June 12, 2025, 11:56pm

twitch updated their api endpoints recently and your using old ones. the kraken api is basicaly dead now so thats why your getting errors. try switching to https://id.twitch.tv/oauth2/token for tokens and https://api.twitch.tv/helix/users for user data. also change OAuth to Bearer in your auth header.