Token Types

There are 2 types of tokens that are available for the Kick Dev API: App Access Token and User Access Token. Each token has a unique OAuth flow to generate the token and are generally used in different scenarios.

App Access Token

App Access Tokens are generated through the Client Credentials flow. These server-to-server API tokens are the most basic form of token for accessing the API. They can access publicly available data and are ideal for use when user login is not required.

User Access Token

User Access Tokens are generated through the Authorization Grant flow. These tokens give an application access to the user’s information based on the scopes the App has requested. This gives more privileged information and access to an App and will often allow an App to act on the user’s behalf.

Kick OAuth Server

The Kick OAuth server is hosted on id.kick.com. Information from creating an App will be required in these endpoints. Checkout the Kick Apps Setup page to get the information for your App.
The host URL for our OAuth server is different from our API server.The host URL is: https://id.kick.com

Authorization Endpoint

Authorization

Directs the user to the authorization server where they can log in and approve the application’s access request.

Query Parameters

client_id
string
required
Your application’s client ID
response_type
string
required
Must be code
redirect_uri
uri
required
The URI to redirect users to after authorization
state
string
required
A random string to maintain state between the request and callback
scope
string
required
Space-separated list of scopes for request
code_challenge
string
required
OAuth code challenge
code_challenge_method
string
required
Must be S256

Response

https://yourapp.com/callback?code=<code>&state=random-state

Example

GET
https://id.kick.com/oauth/authorize?
    response_type=code&
    client_id=<your_client_id>&
    redirect_uri=<https://yourapp.com/callback>&
    scope=<scopes>&
    code_challenge=<code_challenge>&
    code_challenge_method=S256&
    state=<random_value>

Token Endpoint

Token

Exchanges the code for a valid access token and a refresh token that can be used to make authorised requests to Kick’s API.

Headers

Content-Type
string
required
Must be application/x-www-form-urlencoded

Request Body

code
string
required
Code received during the Authorization Flow
client_id
string
required
Your application’s client ID
client_secret
string
required
Your application’s client secret
redirect_uri
string
required
The URI to redirect users to after authorization
grant_type
string
required
Must be authorization_code
code_verifier
string
required
To verify PKCE challenge code created

Response

{
  "access_token": "",
  "token_type": "",
  "refresh_token": "",
  "expires_in": "",
  "scope": ""
}

Example

POST https://id.kick.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
client_id=<client_id>
client_secret=<client_secret>
redirect_uri=<redirect_uri>
code_verifier=<code_verifier>
code=<CODE>

App Access Token Endpoint

App Access Token

Uses a client_id and client_secret to generate an app access token which can be used to obtain public data on Kick.

Headers

Content-Type
string
required
Must be application/x-www-form-urlencoded

Request Body

client_id
string
required
Your application’s client ID
client_secret
string
required
Your application’s client secret
grant_type
string
required
Must be client_credentials

Response

{
  "access_token": "",
  "token_type": "",
  "expires_in": ""
}

Example

POST https://id.kick.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
client_id=<client_id>
client_secret=<client_secret>

Refresh Token Endpoint

Refresh Token

Pass in refresh token and refresh both access and refresh codes.

Headers

Content-Type
string
required
Must be application/x-www-form-urlencoded

Request Body

refresh_token
string
required
Code received during the Authorization Flow
client_id
string
required
Your application’s client ID
client_secret
string
required
Your application’s client secret
grant_type
string
required
Must be refresh_token

Response

{
  "access_token": "",
  "token_type": "",
  "refresh_token": "",
  "expires_in": "",
  "scope": ""
}

Example

POST https://id.kick.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
client_id=<client_id>
client_secret=<client_secret>
refresh_token=<refresh_token>

Revoke Token Endpoint

Revoke Token

Pass in a token to revoke access to that token.

Headers

Content-Type
string
required
Must be application/x-www-form-urlencoded

Query Parameters

token
string
required
The token to be revoked
token_hint_type
string
access_token or refresh_token

Response

OK

Example

POST https://id.kick.com/oauth/revoke?token=<your_token>&token_hint_type=<token_type>
Content-Type: application/x-www-form-urlencoded