Delete Videos Endpoint not working

[mrfelipemartins]

Brief description

The endpoint: DELETE https://api.twitch.tv/helix/videos always return 401 Unauthorized. The access token used has the channel:manage:videos scope.

How to reproduce

Create a CURL request:

curl -X DELETE 'https://api.twitch.tv/helix/videos?id=1234' \ -H 'Authorization: Bearer oauthToken' \ -H 'Client-Id: clientid'

and get:

{ "error": "Unauthorized", "status": 401, "message": "{\"error\":\"You are not authorized\",\"message\":\"You are not authorized\",\"status\":401}" }

Expected behavior

Video should be deleted since user has permissions.

Additional context or questions

The access token works for every other endpoint, except for this one. The user has granted permission to manage videos trough channel:manage:videos scope but still gets 401 unauthorized.

[BarryCarlyon]

Can you use the token against the validate endpoint and confirm it has a user_id in the response to confirm you used the right token type?

[CommanderRoot]

I just noticed this bug as well as I tried to move to the Helix API due to the v5 shutting down soon™.

Proof my token has the right auth:

Error message:

Vod URL: https://www.twitch.tv/videos/1282093920

[BarryCarlyon]

I just noticed this bug as well as I tried to move to the Helix API due to the v5 shutting down soon™.

You omitted the ClientID header in your delete call

[CommanderRoot]

It's not visible in the screenshot as I only selected the area until the authorization header but the Client-Id is send on the Helix call. The id.twitch.tv request doesn't have it (and also doesn't need it)

[BarryCarlyon]

Wasn't able to test this until today.

It worked as expected for me. However I use a "server" call rather than a frontend/client side call.

[CommanderRoot]

Yeah not sure. I just tried it again in Insomnia to get the request as plain as possible: Validate request: Helix request:

If I use an invalid oauth token the error changes to "Invalid OAuth token". If I change the Client-Id then it will be "Client ID and OAuth token do not match". If I change the ID I want to delete the error stays the same so maybe it's something with the lookup of the ID or ID -> owned by user is the issue, no idea. Whatever the issue is, it prevents me from deleting VODs via Helix. I can still do it fine via kraken using the same token though.

[BarryCarlyon]

My attempt today was with the scopes

• channel_editor
• user:edit:broadcast
• user:read:broadcast

So I had a "scope equivalency" score

Worth retrying with a token with JUST channel:manage:videos and a token with just channel_editor which might help narrow it down?

There was a bug on another endpoint where if you had both the old and new scope it didn't work for $thing (I forget which) And I wonder if they have broken the new scope for deleting videos?

Not the easiest to test since can't arbitarily upload videos anymore.

[CommanderRoot]

My first report was only with the channel:manage:videos as that's the one listed in the docs (which didn't work). I then added both so I can use the kraken one on my tool. Just using user:edit:broadcast returns {"error":"Unauthorized","status":401,"message":"Missing scope: channel:manage:videos or channel_editor"} Using channel_editor + user:edit:broadcast or channel:manage:videos + user:edit:broadcast both worked. Seems weird but looks like you need to have either permission combination to delete VODs via Helix. Either way, thanks for your scopes which helped debugging this behaviour.

[BarryCarlyon]

At least we have narrowed it down.

Weird that we need two scopes :-|

Side related issue is #446

[jbulava]

We've confirmed the cause of the issue is scoping. Thanks for the due diligence to narrow it down. The API engineering team is investigating the best way to resolve.

[Xemdo]

Tested this again with the scopes listed on the docs (channel:manage:videos). Working fine now. Notify here if it pops back up