For example, users who opt to disconnect your integration from their Twitch accounts can do so from their account settings on Twitch. Validation is important because of how OAuth access tokens work and the end user’s expectation of OAuth session control. If the issue is not resolved, we may take punitive action, such as revoking the developer’s API key or throttling the application’s performance. If we discover an application that is not re-validating access tokens (that is, an application that validates only for login and not thereafter), we will reach out and work with developers to resolve the issue. You must validate access tokens before making API requests which perform mutations on or access sensitive information of users, if it has been more than one hour since the last validation. Periodic validation of previously issued OAuth tokens ensures that users who authorized your application have not decided to disconnect the integration.
If you use Twitch authentication for login purposes only, access tokens should be validated on a recurring interval. For example, never use access tokens in any public URL, and never display tokens on any web page without requiring a click to de-obfuscate. Warning: Treat your token like a password.
The preferred method of authentication is OAuth.
This guide describes how to use Twitch Authentication to enable your application to take actions on behalf of a Twitch account or access certain data about users’ accounts.