I recently shipped a production Twitch extension. This is the mistake that cost me the most time. If you've tried to build a Twitch extension with a backend service (called an EBS — Extension Backend Service), you may have run into a wall of mysterious 401 errors that no amount of Stack Overflow searching seems to fix. The cause is almost certainly this. The Mistake Twitch signs the JWTs it sends to your EBS using your extension's secret key. You verify these JWTs in your backend using a library like jsonwebtoken . Every tutorial you'll find shows something like this: const secret = process . env . TWITCH_EXTENSION_SECRET ; app . use (( req , res , next ) => { const token = req . headers . authorization ?. slice ( 7 ); const decoded = jwt . verify ( token , secret ); // 401 every time }); Enter fullscreen mode Exit fullscreen mode This looks correct. It isn't. What's Actually Happening Go to your extension in the Twitch Developer Console and look at the extension secret on the Settings tab.…