Contents

Refreshing Access Tokens

The lifetime of an access token depends on how you acquired the token. When you get a token, the expires_in field indicates how long, in seconds, the token is valid for. When a token expires, it becomes invalid. If you call a Twitch API with an invalid token, the request returns 401 Unauthorized.

Although you could use the expires_in value to proactively get a new token before the token expires, you’re discouraged from using this approach because tokens can become invalid for a number of reasons (see How do tokens become invalid?). Instead, Twitch recommends that apps reactively respond to HTTP status code 401 Unauthorized.

The only access tokens that apps can refresh without requesting user consent are user access tokens created using the OAuth Authorization Code Grant Flow. When you get a user access token using the Authorization Code Grant flow, you also get a refresh token. Generally, refresh tokens are used to extend the lifetime of a given authorization. Your app uses the refresh token to get a new access token after receiving a 401 Unauthorized response.

NOTE You cannot refresh app access tokens.

The following example shows the JSON object that the https://id.twitch.tv/oauth2/token endpoint returns. The object includes an access token and a refresh token. You must safely store both the access token and the refresh token.

{
  "access_token": "0123456789abcdefghijABCDEFGHIJ",
  "refresh_token": "eyJfaWQmNzMtNGCJ9%6VFV5LNrZFUj8oU231/3Aj",
  "expires_in": 5215742,
  "scope": "channel:read:subscriptions",
  "token_type": "bearer"
}

How to use a refresh token

To refresh a user access token, send an HTTP POST request to https://id.twitch.tv/oauth2/token. The following table lists the x-www-form-urlencoded parameters that you pass in the body of the request.

Parameter Required? Type Description
client_id Yes String Your app’s client ID. See Registering your app.
client_secret Yes String Your app’s client secret. See Registering your app.
grant_type Yes String Must be set to refresh_token.
refresh_token Yes String The refresh token issued to the client.

You must URL encode the refresh token before posting the request. If you don’t, and the token contains restricted characters, the request may fail with “Invalid refresh token”.

The following cURL example shows a refresh request. Remember to URL encode your refresh token.

curl -X POST https://id.twitch.tv/oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=refresh_token&refresh_token=gdw3k62zpqi0kw01escg7zgbdhtxi6hm0155tiwcztxczkx17&client_id=<your client id goes here>&client_secret=<your client secret goes here>'

If the request succeeds, the response contains the new access token, refresh token, and scopes associated with the new grant. Because refresh tokens may change, your app should safely store the new refresh token to use the next time.

{
  "access_token": "1ssjqsqfy6bads1ws7m03gras79zfr",
  "refresh_token": "eyJfMzUtNDU0OC4MWYwLTQ5MDY5ODY4NGNlMSJ9%asdfasdf=",
  "scope": [
    "channel:read:subscriptions",
    "channel:manage:polls"
  ],
  "token_type": "bearer"
}

The following example shows what the response looks like if the request fails.

{
  "error": "Bad Request",
  "status": 400,
  "message": "Invalid refresh token"
}

Can a refresh token become invalid?

Yes, refresh tokens can become invalid. Refresh tokens, like access tokens, can become invalid if the user changes their password or disconnects your app. Refresh tokens will also expire 30 days after they are generated, which will invalidate the refresh token.

A refresh request can fail with HTTP status code 401 Unauthorized if the refresh token is no longer valid. If the refresh fails, the application should re-prompt the end user for consent using the Authorization Code Grant flow or OIDC Authorization Code Grant flow.

Handling token refreshes in a multi-threaded app

At any given point in time, the maximum number of valid access tokens that a refresh token can be associated with is 50. If a refresh token has 50 valid access tokens associated with it and you try to create the 51st, the request fails. This limit might become an issue if multiple threads sharing the same authorization try to simultaneously refresh the access token. In this case, it’s possible that the refresh request may fail for some of the threads after the refresh token reaches the 50 access token limit.

For multi-threaded apps, Twitch recommends that your app refresh the access token in one thread, which then distributes the new access token to the other threads.