Twitch auth example

Added support for optional states that is managed inside BlushyFace.Twitch.Authentication and renamed some methods so it’s more clear what they do but it is not updated in the [original] post below.



BlushyFace.Twitch.Authentication is a lightweight C# .NET Core library that makes it easy to authenticate Twitch users using OAuth.


Available methods
OAuth.OpenBrowserImplicitFlow(…); // opens a browser for implicit flow + redirect
OAuth.OpenBrowserAuthorizationFlow(…); // opens a browser for authorization flow + redirect
OAuth.GetTokenAppAccessAsync(..); // get an app access token
OAuth.GetTokenUserAccessAsync(..); // get a user access token
OAuth.ValidateTokenAsync(…); // validate an access token
OAuth.RefreshTokenAsync(…); // refresh an access token
OAuth.RevokeTokenAsync(…); // revoke an access token


How to use
1) reference a compiled BlushyFace.Twitch.Authentication.dll version in your C# project.
2) create a new instance of Settings and provide a valid client id, client secret and redirect url (you can get this from
3) pass the settings to a new Authenticate instance and use OAuth like this -> var oAuth = new Authenticate(settings).OAuth; (see below for code example)
4) you now should be ready now to create / refresh / validate / revoke tokens.

var settings = new Settings() { ClientId = "", ClientSecret = "", RedirectUrl = "http://localhost:8081/auth" };
var oAuth = new Authenticate(settings).OAuth;

Note: for demonstration purposes the tests are done running a local HTTP server based on


Implicit code flow
This generates a user access token that is valid for ~60 days and cannot be refreshed.

1) open the implicit flow with the default browser by doing -> oAuth.OpenBrowserImplicitFlow(“scopes here”);
2) after the user authenticates it returns the access token
3) to validate an implicit access token see further below for an example


Authorization code flow
This generates a user access token that is valid for ~4 hours and can be refreshed.

1) open the authorization flow with the default browser by doing -> oAuth.OpenBrowserAuthorizationFlow(“scopes here”);
1a) after the user authenticates it redirects back to the redirect URL and the local HTTP server exchanges the exchange code to a user access token like this:

    if (qsPair.Equals("code"))
        var authToken = await oAuth.GetTokenUserAccessAsync(exchangeCode);
        var validationToken = await oAuth.ValidateTokenAsync(authToken.AccessToken);
        // rest of flow

Client credentials flow
This generates an app access token that is valid for ~60 days and can be refreshed.

1) get an app access token by -> await oAuth.GetTokenAppAccessAsync(“scopes here”);

Validating tokens
1) validating tokens is done by -> await oAuth.ValidateTokenAsync(“access token here”);

Refreshing tokens
Because tokens expire you can refresh them with a refresh token (implicit code flow does not have a refresh token).

1) refreshing tokens is done by -> await oAuth.RefreshTokenAsync(“refresh token here”);

Revoking tokens
1) revoking tokens can be done by -> await oAuth.RevokeTokenAsync(“access token here”);
1a) when successful a “200 OK” status code will be returned



– refresh an expired token

var token = await _oAuth.ValidateTokenAsync("access token here");
if (token != null)
    if (token.ExpiresIn < DateTime.Now)
        // refresh the expired token
        var refresh = await oAuth.RefreshTokenAsync("refresh token here");

        // validate the new token
        var validate = await oAuth.ValidateTokenAsync(refresh.AccessToken);
        // do other stuff here
        // token is still valid