Getting Started

Oauth

There are 2 types of tokens available for the Blaze API: User Access Token and App Access Token. Each token is generated through a different OAuth flow and is intended for different use cases.

User Access Token Flow

Use this flow when your application needs to access Blaze APIs on behalf of a user. The user logs in, grants permission, and your application receives a User Access Token based on the approved scopes.

1

Register Your Application

Before you start, make sure you have a Blaze account on https://blaze.stream. You'll need that account to access the Developer Console, register your application, get your Client ID and Client Secret, and configure the redirect URLs Blaze should allow.

Application Name

A human-readable name for your application. This will be shown to users on the authorization screen when they grant permission to your app.

Redirect URLs

The URLs that Blaze will redirect users back to after they authorize your app. You must register at least one redirect URL. For local development, http://localhost is allowed. All production URLs must use HTTPS.

https://yourapp.com/callback
http://localhost:3000/callback   # for local development
Tip: You can add up to 5 redirect URLs per application. Use http://localhost for development and https:// URLs for production.
Register a New Application
2

Redirect User to Authorization Page

Before redirecting a user to Blaze, collect your application credentials and have your backend generate the authorization URL. Then send the user to the returned authorization page so they can log in and approve access.

FieldDescription
clientIdYour unique application identifier. This is public and safe to include in client-side code.
clientSecretA secret key used to exchange the authorization code for a token. Keep this value confidential and never expose it in client-side code.
redirectUriOne of the redirect URLs you registered. Must exactly match a registered URL.
Info: Your Client ID and Client Secret are available on the application edit page. Navigate to Applications, select your app, and copy the values from the details section.

Generate the Authorization URL

POSThttps://blaze.stream/bapi/oauth2/generate-auth-url
Info: Generated authorization URLs do not apply default scopes. Send a scopes field with the exact permissions you want to request. For chat bot user authorization, request users.read, offline.access, channel.moderate, and users.bot. The approved scopes are returned in the token response.
Request body

clientIdstringrequired

Application Client ID.

clientSecretstringrequired

Application Client Secret.

redirectUristringrequired

Exact registered callback URL.

scopesstring[]optional

Optional scopes to request for this authorization. For a chat bot user authorization, send users.read, offline.access, channel.moderate, and users.bot.

Responses
  • 200OKapplication/json
  • 400Bad Requestapplication/json
  • 401Unauthorizedapplication/json
  • 404Not Foundapplication/json
  • 500Internal Server Errorapplication/json
POST/bapi/oauth2/generate-auth-url
POST /bapi/oauth2/generate-auth-url HTTP/1.1
Host: blaze.stream
content-type: application/json
accept: application/json

{
  "clientId": "YOUR_CLIENT_ID",
  "clientSecret": "YOUR_CLIENT_SECRET",
  "redirectUri": "https://yourapp.com/callback",
  "scopes": [
    "users.read",
    "offline.access",
    "channel.moderate",
    "users.bot"
  ]
}
200OK
{
  "url": "https://blaze.stream/oauth2/authorize?...",
  "state": "RANDOM_NONCE_VALUE",
  "codeVerifier": "PKCE_CODE_VERIFIER"
}
Important: Persist the returned state and codeVerifier values. You'll need state when validating the callback and codeVerifier when exchanging the code for an access token.
3

Handle Authorization Callback

After the user approves access, Blaze redirects them back to your registered redirect URL with a code and state query parameter. Read the returned values and validate the state before continuing.

Blaze redirects the user back to your app

Once the user approves access, Blaze sends them back to your registered redirect URI with the values your app needs to continue the flow.

https://yourapp.com/callback?code=AUTHORIZATION_CODE&state=RANDOM_NONCE_VALUE

Read and validate the returned values

In your callback handler, read the returned code, confirm the state matches the state value returned by the auth-url generation step, and keep the stored PKCE values ready for the token exchange.

const urlParams = new URLSearchParams(window.location.search);
const code = urlParams.get("code");
const returnedState = urlParams.get("state");

if (!code) {
  throw new Error("Missing code from Blaze callback");
}

if (returnedState !== expectedState) {
  throw new Error("State mismatch");
}
Tip: The code is delivered as a query parameter (?code=...), not in the URL fragment. Keep the codeVerifier returned by the auth-url generation step, because your server will need it for the token exchange.
4

Exchange Authorization Code for Token

Once you've validated the callback, have your backend exchange the returned authorization code for a User Access Token by sending a POST request to https://blaze.stream/bapi/oauth2/token with the stored PKCE values.

Token endpoint

POSThttps://blaze.stream/bapi/oauth2/token
Request body

clientIdstringrequired

Application Client ID.

clientSecretstringrequired

Application Client Secret.

codestringrequired

Authorization code from the callback.

codeVerifierstringrequired

PKCE verifier returned by the auth URL step.

redirectUristringrequired

Same registered callback URL.

grantTypestringrequired

Use authorization_code.

Responses
  • 200OKapplication/json
  • 400Bad Requestapplication/json
  • 401Unauthorizedapplication/json
  • 404Not Foundapplication/json
  • 500Internal Server Errorapplication/json
POST/bapi/oauth2/token
POST /bapi/oauth2/token HTTP/1.1
Host: blaze.stream
content-type: application/json
accept: application/json

{
  "clientId": "YOUR_CLIENT_ID",
  "clientSecret": "YOUR_CLIENT_SECRET",
  "code": "AUTHORIZATION_CODE",
  "codeVerifier": "PKCE_CODE_VERIFIER",
  "redirectUri": "https://yourapp.com/callback",
  "grantType": "authorization_code"
}
200OK
{
  "type": "user",
  "userId": "2f4c6d9a-8e2b-4d77-9f0d-3a1b2c4d5e6f",
  "tokenType": "Bearer",
  "refreshToken": "USER_REFRESH_TOKEN",
  "accessToken": "USER_ACCESS_TOKEN",
  "expiresIn": 86400, // seconds
  "scopes": ["users.read","offline.access","channel.moderate","users.bot"]
}
Important: Perform the token exchange on the server, where you can safely load the Client Secret and the PKCE code verifier. Do not expose either value in browser code.
5

Make API Requests

Use the access token to authenticate requests to the Blaze API. Include it as a Bearer token in the Authorization header of every request.

GET/v1/users/profile
const response = await fetch("https://api.blaze.stream/v1/users/profile", {
  headers: {
    "secret": "YOUR_CLIENT_SECRET",
    "client-id": "YOUR_CLIENT_ID",
    "authorization": "Bearer USER_ACCESS_TOKEN",
    "content-type": "application/json"
  }
});

const data = await response.json();
Info: If you receive a 401 Unauthorized response, try refreshing the token with the refresh endpoint first. If refresh fails, send the user through the OAuth flow again.
6

Refresh Access Token

If an access token has expired or is no longer valid, your backend can exchange the refresh token for a fresh access token response without sending the user through the full authorization flow again. Each successful refresh invalidates the previous refresh token and returns a new refresh token that your backend should store for the next refresh request.

Refresh endpoint

POSThttps://blaze.stream/bapi/oauth2/refresh
Request body

clientIdstringrequired

Application Client ID.

clientSecretstringrequired

Application Client Secret.

refreshTokenstringrequired

Current refresh token.

Responses
  • 200OKapplication/json
  • 400Bad Requestapplication/json
  • 401Unauthorizedapplication/json
  • 404Not Foundapplication/json
  • 500Internal Server Errorapplication/json
POST/bapi/oauth2/refresh
POST /bapi/oauth2/refresh HTTP/1.1
Host: blaze.stream
content-type: application/json
accept: application/json

{
  "clientId": "YOUR_CLIENT_ID",
  "clientSecret": "YOUR_CLIENT_SECRET",
  "refreshToken": "USER_REFRESH_TOKEN"
}
200OK
{
  "tokenType": "Bearer",
  "accessToken": "USER_ACCESS_TOKEN",
  "refreshToken": "USER_REFRESH_TOKEN",
  "expiresIn": 86400, // seconds
  "scopes": ["users.read","offline.access","channel.moderate","users.bot"]
}
Info: Call the refresh endpoint from your backend and keep the refresh token confidential, just like your Client Secret.

App Access Token Flow

App Access Tokens are generated through the Client Credentials flow. These server-to-server API tokens are the most basic form of token for accessing the API. They can access publicly available data and are ideal when user login is not required.

1

Register Your Application

Before you start, make sure you have a Blaze account on https://blaze.stream. You'll need that account to access the Developer Console, register your application, get your Client ID and Client Secret, and configure the redirect URLs Blaze should allow.

Application Name

A human-readable name for your application. This will be shown to users on the authorization screen when they grant permission to your app.

Redirect URLs

Redirect URL is required when registering an application because the same application can be used for user authorization flows. It is not used when generating an App Access Token with the client credentials flow. For App Access Token requests, only the Client ID and Client Secret are required.

https://yourapp.com/callback
http://localhost:3000/callback   # for local development
Tip: You can add up to 5 redirect URLs per application. Use http://localhost for development and https:// URLs for production.
Register a New Application
2

Generate App Access Token

Once your application is registered, have your backend send a POST request to https://blaze.stream/bapi/oauth2/token with your Client ID, Client Secret, and grantType set to client_credentials. This generates an App Access Token for server-to-server API requests without any user login or consent step.

Token endpoint

POSThttps://blaze.stream/bapi/oauth2/token
Request body

clientIdstringrequired

Application Client ID.

clientSecretstringrequired

Application Client Secret.

grantTypestringrequired

Use client_credentials.

Responses
  • 200OKapplication/json
  • 400Bad Requestapplication/json
  • 401Unauthorizedapplication/json
  • 404Not Foundapplication/json
  • 500Internal Server Errorapplication/json
POST/bapi/oauth2/token
POST /bapi/oauth2/token HTTP/1.1
Host: blaze.stream
content-type: application/json
accept: application/json

{
  "clientId": "YOUR_CLIENT_ID",
  "clientSecret": "YOUR_CLIENT_SECRET",
  "grantType": "client_credentials"
}
200OK
{
  "type": "app",
  "tokenType": "Bearer",
  "accessToken": "APP_ACCESS_TOKEN",
  "expiresIn": 604800 // seconds
}
Important: Perform this request on the server and keep your Client Secret confidential. App Access Token requests do not use redirect URLs, authorization codes, or refresh tokens.
3

Make API Requests

Use the App Access Token to authenticate server-to-server requests to Blaze APIs. Include it as a Bearer token in the Authorization header of every request.

GET/v1/chats/messages
const response = await fetch("https://api.blaze.stream/v1/chats/messages", {
  headers: {
    "client-id": "YOUR_CLIENT_ID",
    "authorization": "Bearer APP_ACCESS_TOKEN",
    "content-type": "application/json"
  }
});

const data = await response.json();
Info: If you receive a 401 Unauthorized response, generate a new App Access Token with the client credentials flow and retry the request.
App SetupReview the application setup steps before wiring OAuth credentials.ScopeContinue to the scope reference and confirm the permissions your integration should request.