Obtain an app access token using the client credentials OAuth flow with the required scopes for the subscription types needed (e.g., channel:read:redemptions for channel point events)
Register a publicly reachable HTTPS webhook callback URL that can respond to Twitch's challenge verification request with a 200 OK and the echoed challenge string
Call the EventSub subscriptions endpoint (POST to the subscriptions resource) with the subscription type, version, condition (e.g., broadcaster_user_id), and transport object specifying method 'webhook' and the callback URL
Twitch sends a verification challenge POST to the callback URL; respond within the required time window by returning the challenge value to confirm the subscription
On receiving event notifications, verify the Twitch-Message-Signature header using the HMAC of the message ID, timestamp, and raw body with the subscription's secret to reject forged requests
Handle duplicate deliveries by checking the Twitch-Message-Id header and deduplicating against recently processed IDs
Known gotchas
Webhook callbacks must respond to the verification challenge within a short time window; slow cold-start infrastructure (e.g., serverless functions) can fail the initial handshake
Signature verification must be performed on the raw request body before JSON parsing; parsing first and re-serializing changes whitespace and will cause HMAC mismatches
EventSub subscriptions expire or are disabled if too many delivery failures occur; implement a reconciliation process that re-creates subscriptions that are no longer in the 'enabled' status
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp