How to generate new Twitch OAuth token and make older one obsolete?

[sourKiwi0]

Description

Sorry if it has been asked before. Asking just in case I accidentally leak it.
Would logging in the account for normal use on any browser resets it?

I followed this to get my current OAuth token: https://streamlink.github.io/cli/plugins/twitch.html#authentication

Answer

To revoke the old OAuth token:

• press "Sign Out Everywhere" on https://twitch.tv/settings/security
• Changing password also worked.

[bastimeyer]

Unlike Streamlink Twitch GUI, Streamlink does not provide any OAuth integrations with Twitch. Whatever you're doing with OAuth tokens from Twitch's GQL API, you're on your own and you're using them at your own risk.

Twitch's GQL API is private and only exists for their own website. With their public Helix API (very limited access to data and no streaming access tokens) that can be used by 3rd party applications, you must explicitly grant the registered application access to your account, and then you can revoke access via their website's settings menu.

Whether the GQL API's OAuth token (that you're getting by reading your web browser's cookies) expires by logging out on their website and logging back in (which will generate a new token), I can't tell you. Try it out.

An invalid/expired OAuth token should result in an error message:

$ streamlink --no-config --no-plugin-cache --webbrowser=false --twitch-api-header="Authorization=OAuth invalid" twitch.tv/CHANNEL best
[cli][info] Found matching plugin twitch for URL twitch.tv/CHANNEL
[plugins.twitch][info] Acquiring new client-integrity token...
[plugins.twitch][error] The webbrowser API has been disabled by the user
[plugins.twitch][warning] No client-integrity token acquired
error: Unauthorized: The "Authorization" token is invalid.

[sourKiwi0]

Whether the GQL API's OAuth token (that you're getting by reading your web browser's cookies) expires by logging out on their website and logging back in (which will generate a new token), I can't tell you. Try it out.

Thank you for telling me to test it myself. I was so confused why I was still able to use my 4 months old OAuth token, despite logging in/out multiple times (new tokens expires after log out, different token generated every log-in).

To revoke the old OAuth token:

• press "Sign Out Everywhere" on https://twitch.tv/settings/security
• Changing password also worked.

So the old token were persistent because I Log-in > grab token > close browser. So it never "Logged out"?

This is really nice to know, thank you so much for your time and help

What is the danger of leaked OAuth token?

[bastimeyer]

"Sign Out Everywhere"

Good to know. I wasn't aware they had that option.

Third party applications and their OAuth tokens can be revoked in the "Settings -> Connections" menu on their site, which is what I was referring to. But as said, this is unrelated to Streamlink.

Let's add a note for this to the docs, because you're not the first one to ask (or leak their token).

What is the danger of leaked OAuth token?

OAuth tokens allow certain actions to be made with your user account (in place of a username and password) with respect to the selected permission scopes, e.g. following channels, accessing chat, or even reading the streaming ingest token.

On a regular third party application, the app developer can choose which of the available permissions are needed, and those will be shown to the user when connecting the application with their account, before they confirm the connection.
https://dev.twitch.tv/docs/authentication#user-access-tokens

Since their site operates on the same principle but uses a private API that's not meant for third party application developers, they likely grant those tokens full permissions. I haven't checked this though (and I'm not really interested).

[sourKiwi0]

Thank you for your explanation. I will be a lot more careful.

IMPORTANT Treat access tokens, refresh tokens, and client secrets like a password and safeguard them.

I think this part is really important. Maybe it's obvious for developers, but as a normal user I didn't know..
I guess it makes sense because it uses the subscription status to not serve ads

But anyway, I'm glad I asked and thank you again for your time and your help