Nightbot API 400 - badly written POST-request?

First and foremost, you should never make OAuth2 token calls containing a secret from client-side code. Your client secret is a secret, and must be kept on a backend server and not shared with clients.

Additionally, if you’re just making an integration for yourself to use, you can skip the authorization code and authenticate with client credentials instead:

POST https://api.nightbot.tv/oauth2/token
    grant_type=client_credentials&
    client_id=CLIENT_ID&
    client_secret=CLIENT_SECRET

If you’re building an integration for others to use, you want to exchange the code for a token using your secret on a backend server. The problem with your code sample is you’re probably posting JSON, whereas the endpoint (as per the OAuth2 RFC) is accepting urlencoded data as the body

1 Like