Lib.rs

Authentication
#oauth2 #twitch #twitch-api

twitch_oauth_token

Type-safe Twitch OAuth 2.0 authentication library with CSRF protection and full scope support

Owned by m3id.

67 releases (44 stable)

Uses new Rust 2024

4.4.0 Mar 30, 2026
4.0.0 Feb 7, 2026
3.1.0 Jan 25, 2026
3.0.0 Dec 8, 2025
0.0.4 Mar 2, 2024

#151 in Authentication


Used in twitch_highway

MIT/Apache

165KB
2.5K SLoC

twitch_oauth_token

CI crates.io Documentation license: MIT

A Rust library for Twitch OAuth 2.0 authentication with compile-time safety and comprehensive scope support.

  • Token management - Refresh, validate, and revoke tokens
  • Type-safe OAuth flows - Compile-time prevention of invalid operations using the type-state pattern
  • HMAC-based CSRF protection - Cryptographically secure state validation using HMAC-SHA256 with timestamp validation
  • Full Twitch scope support - All Twitch API scopes with convenient helper methods
  • Pre-configured HTTP client - Includes an optimized authentication client preset from asknothingx2-util
  • Twitch mock API support - Built-in support for the Twitch CLI mock API for testing and certification

Installation

[dependencies]
twitch_oauth_token = "4"
tokio = { version = "1", features = ["full"] }

Quick Start

App access token

use twitch_oauth_token::TwitchOauth;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let oauth = TwitchOauth::new("client_id", "client_secret");

    let token = oauth.app_access_token().await?;

    println!("App token: {}", token.access_token.secret());
    println!("Expires in: {} seconds", token.expires_in);

    Ok(())
}

User access token

use std::str::FromStr;
use twitch_oauth_token::{RedirectUrl, TwitchOauth};

fn main() {
    let oauth = TwitchOauth::new("client_id", "client_secret")
        .with_redirect_uri(RedirectUrl::from_str("http://example.com/auth/callback").unwrap());

    let mut auth_request = oauth.authorization_url();
    auth_request.scopes_mut().chat_api();

    // Create authorization URL for the user to visit
    let auth_url = auth_request.url();

    println!("Visit: {}", auth_url);
}

Handling OAuth Callback

use twitch_oauth_token::{AuthCallback, TwitchOauth, UserAuth};

async fn handle_callback(
    oauth: &TwitchOauth<UserAuth>,
    oauth_callback: AuthCallback,
) -> Result<(), twitch_oauth_token::Error> {
    let token = oauth
        .exchange_code(oauth_callback.code, oauth_callback.state)
        .await?;

    println!("Access token: {}", token.access_token.secret());
    println!("Refresh token: {}", token.refresh_token.secret());
    println!("Scopes: {:?}", token.scope);
    println!("Expires in: {} seconds", token.expires_in);

    Ok(())
}

Device code Flow

use twitch_oauth_token::{ClientId, TwitchOauth};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mut device_flow = TwitchOauth::device_auth(ClientId::from("client_id"));
    device_flow.scopes_mut().chat_api();

    let resp = device_flow.request().await?;
    println!("Visit: {}", resp.verification_uri);

    let token = device_flow.poll(resp).await?;
    println!("Access token: {}", token.access_token.secret());
    println!("Refresh token: {}", token.refresh_token.secret());
    println!("Scopes: {:?}", token.scope);
    println!("Expires in: {} seconds", token.expires_in);

    Ok(())
}

Feature Flags

  • oneshot - Built-in development server for handling OAuth callbacks
  • test - Testing utilities and mock server support

License

Licensed under either of:

  • Apache License, Version 2.0
  • MIT license

Dependencies

~35–54MB
~1M SLoC