Skip to content

Twitch API Keys

Service Name: Twitch

Service Description: Twitch is a live-streaming platform primarily focused on video game streaming, but also includes streams dedicated to artwork creation, music, talk shows, and occasional TV series. It's owned by Amazon and allows content creators to monetize their streams through various methods.

Service Address: https://www.twitch.tv/ (Developer portal: https://dev.twitch.tv/)

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the application level in the Twitch Developer Console, but not directly on the API key level.

Secret Access Scope: Grants programmatic access to Twitch API endpoints based on the scopes requested during app registration. Can access user data, channel information, analytics, and perform actions like creating clips or managing stream information.

Secret Revokement URL: https://dev.twitch.tv/console/apps

Secret Example: abcdefghijklmnopqrstuvwxyz123456

Suspicious Activity Investigation Instructions:

  • Review the Twitch Developer Console for unusual API usage patterns or unexpected requests.
  • Check for unauthorized applications or webhooks registered with your Twitch account.
  • Monitor for unexpected changes to channel settings or stream configurations.
  • Review the OAuth scopes that have been granted to applications using your API key.
  • Check for unusual geographic access patterns in your developer analytics.

Mitigation Instructions:

  • Log in to the Twitch Developer Console at https://dev.twitch.tv/console/apps
  • Locate the compromised application in your list of registered applications.
  • Click on "Manage" next to the application.
  • Select "Delete" to completely remove the application and invalidate its credentials.
  • Alternatively, you can regenerate the client secret by clicking on "New Secret" if you want to maintain the application.
  • Create a new application with proper security controls if needed.
  • Review and limit the OAuth scopes requested by your application to the minimum necessary.
  • Enable and review webhook subscriptions to monitor for unauthorized activities.