Well... I've thought about it a bit... And it's probably the first solution that will be suitable for not breaking the possibility of hash the proof. Am I right?
Okay, I totally understand your position.
So, if we use the gql endpoint, we can use the kimne78kx3ncx6brgo4mv6wki5h1ko client-ID, which is the one used by unauthenticated clients.
After...
Nice find. I haven't been able to get it to work on my end, so I'm going to do some testing today.
However, [we're not technically allowed to use it](https://discuss.dev.twitch.com/t/is-it-leg...
Yes, the Twitch API requires at least one app_token without scope to get a user.
My actual testing workflow is as follows, using a test app with no special permissions :
$ curl -X POST...
If the proposed verification mechanism works for you, I can try to implement it using Matrix as an example.