Brief descriptionhttps://dev.twitch.tv/docs/authentication/refresh-tokens/ documents the client_secret attribute as required which is not correct anymore. It is only required for confidential client types, not for public ones. Public clients using the recently introduced Device Code Grant Flow do not have a client_secret and do not need to provide it.
My tests confirm this, as I was able to exchange a refresh token of a public client for a new access token without including a client_secret attribute in the body of the request.
Brief description https://dev.twitch.tv/docs/authentication/refresh-tokens/ documents the
client_secret
attribute asrequired
which is not correct anymore. It is only required for confidential client types, not for public ones. Public clients using the recently introduced Device Code Grant Flow do not have aclient_secret
and do not need to provide it.My tests confirm this, as I was able to exchange a refresh token of a public client for a new access token without including a
client_secret
attribute in the body of the request.