Brief descriptionhttps://dev.twitch.tv/docs/authentication/refresh-tokens/ documents the client_secret attribute as required which is not correct anymore. It is only required for confidential client types, not for public ones. Public clients using the recently introduced Device Code Grant Flow do not have a client_secret and do not need to provide it.
My tests confirm this, as I was able to exchange a refresh token of a public client for a new access token without including a client_secret attribute in the body of the request.
Brief description https://dev.twitch.tv/docs/authentication/refresh-tokens/ documents the
client_secretattribute asrequiredwhich is not correct anymore. It is only required for confidential client types, not for public ones. Public clients using the recently introduced Device Code Grant Flow do not have aclient_secretand do not need to provide it.My tests confirm this, as I was able to exchange a refresh token of a public client for a new access token without including a
client_secretattribute in the body of the request.