Skip to content

Twitch User App Credentials

Service Name: Twitch

Service Description: Twitch is a live-streaming platform for gamers and content creators, allowing users to broadcast their gameplay or creative content, interact with viewers, and build communities. Twitch API enables developers to integrate Twitch features into their applications.

Service Address: https://www.twitch.tv/

Validation Type: API Auth

IP Allow list: Does not exist at the secret level. IP restrictions can be configured at the application level through Twitch Developer Console.

Secret Access Scope: Grants programmatic access to Twitch API endpoints based on the scopes defined during app creation. Can access user data, channel information, manage streams, and interact with Twitch services depending on authorized scopes.

Secret Revokement URL: https://dev.twitch.tv/console/apps

Secret Example: abcdefghijklmnopqrstuvwxyz123456

Suspicious Activity Investigation Instructions:

  • Review the Twitch Developer Console for unusual API calls or access patterns
  • Check application logs for unexpected authentication attempts
  • Monitor for unauthorized changes to channel settings or content
  • Review webhook subscriptions for any unauthorized additions
  • Check for unusual geographic access patterns in your application logs
  • Verify if there are any unexpected changes to app configuration or scopes

Mitigation Instructions:

  • Log in to the Twitch Developer Console at https://dev.twitch.tv/console
  • Navigate to "Applications" and select the compromised application
  • Click "Manage" for the affected application
  • Select "Reset Client Secret" to invalidate the current credentials
  • Update your application code with the new client secret
  • Review and potentially reduce the OAuth scopes requested by your application
  • Enable two-factor authentication on the Twitch account that owns the application
  • Review and update your application's callback URLs to prevent redirect attacks