Token Types

There are 2 types of tokens that are available for the Kick Dev API: App Access Token and User Access Token. Each token has a unique OAuth flow to generate the token and are generally used in different scenarios.

App Access Token

App Access Tokens are generated through the Client Credentials flow. These server-to-server API tokens are the most basic form of token for accessing the API. They can access publicly available data and are ideal for use when user login is not required.

User Access Token

User Access Tokens are generated through the Authorization Grant flow. These tokens give an application access to the user’s information based on the scopes the App has requested. This gives more privileged information and access to an App and will often allow an App to act on the user’s behalf.

Kick OAuth Server

The Kick OAuth server is hosted on id.kick.com.

Information from creating an App will be required in these endpoints. Checkout the Kick Apps Setup page to get the information for your App.

The host URL for our OAuth server is different from our API server.

The host URL is: https://id.kick.com

Authorization Endpoint

Authorization

Directs the user to the authorization server where they can log in and approve the application’s access request.

Query Parameters

client_id
string
required

Your application’s client ID

response_type
string
required

Must be code

redirect_uri
uri
required

The URI to redirect users to after authorization

state
string
required

A random string to maintain state between the request and callback

scope
string
required

Space-separated list of scopes for request

code_challenge
string
required

OAuth code challenge

code_challenge_method
string
required

Must be S256

Response

https://yourapp.com/callback?code=<code>&state=random-state

Example

GET
https://id.kick.com/oauth/authorize?
    response_type=code&
    client_id=<your_client_id>&
    redirect_uri=<https://yourapp.com/callback>&
    scope=<scopes>&
    code_challenge=<code_challenge>&
    code_challenge_method=S256&
    state=<random_value>

Token Endpoint

Token

Exchanges the code for a valid access token and a refresh token that can be used to make authorised requests to Kick’s API.

Headers

Content-Type
string
required

Must be application/x-www-form-urlencoded

Request Body

code
string
required

Code received during the Authorization Flow

client_id
string
required

Your application’s client ID

client_secret
string
required

Your application’s client secret

redirect_uri
string
required

The URI to redirect users to after authorization

grant_type
string
required

Must be authorization_code

code_verifier
string
required

To verify PKCE challenge code created

Response

{
  "access_token": "",
  "token_type": "",
  "refresh_token": "",
  "expires_in": "",
  "scope": ""
}

Example

POST https://id.kick.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
client_id=<client_id>
client_secret=<client_secret>
redirect_uri=<redirect_uri>
code_verifier=<code_verifier>
code=<CODE>

App Access Token Endpoint

App Access Token

Uses a client_id and client_secret to generate an app access token which can be used to obtain public data on Kick.

Headers

Content-Type
string
required

Must be application/x-www-form-urlencoded

Request Body

client_id
string
required

Your application’s client ID

client_secret
string
required

Your application’s client secret

grant_type
string
required

Must be client_credentials

Response

{
  "access_token": "",
  "token_type": "",
  "expires_in": ""
}

Example

POST https://id.kick.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
client_id=<client_id>
client_secret=<client_secret>

Refresh Token Endpoint

Refresh Token

Pass in refresh token and refresh both access and refresh codes.

Headers

Content-Type
string
required

Must be application/x-www-form-urlencoded

Request Body

refresh_token
string
required

Code received during the Authorization Flow

client_id
string
required

Your application’s client ID

client_secret
string
required

Your application’s client secret

grant_type
string
required

Must be refresh_token

Response

{
  "access_token": "",
  "token_type": "",
  "refresh_token": "",
  "expires_in": "",
  "scope": ""
}

Example

POST https://id.kick.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token
client_id=<client_id>
client_secret=<client_secret>
refresh_token=<refresh_token>

Revoke Token Endpoint

Revoke Token

Pass in a token to revoke access to that token.

Headers

Content-Type
string
required

Must be application/x-www-form-urlencoded

Query Parameters

token
string
required

The token to be revoked

token_hint_type
string

access_token or refresh_token

Response

OK

Example

POST https://id.kick.com/oauth/revoke?token=<your_token>&token_hint_type=<token_type>
Content-Type: application/x-www-form-urlencoded