Ensure your server has a publicly reachable HTTPS endpoint that can receive POST requests and respond with the challenge value during subscription verification.
Obtain an app access token via the client credentials flow.
Send a POST request to the EventSub subscriptions endpoint (/helix/eventsub/subscriptions) with a JSON body specifying type=stream.online, version, condition (with broadcaster_user_id), and transport (method=webhook, callback URL, secret).
Include Authorization and Client-Id headers on the POST request.
When Twitch sends a verification request to your callback URL (identified by the Twitch-Eventsub-Message-Type: webhook_callback_verification header), respond with HTTP 200 and the challenge string from the request body as plain text.
For incoming event notifications, validate the HMAC signature in the Twitch-Eventsub-Message-Signature header using your subscription secret before processing the payload.
Known gotchas
Twitch will retry delivery if your callback does not respond with 2xx within a few seconds; ensure your handler is fast and idempotent.
Subscriptions expire or are removed if the callback URL repeatedly fails to respond; implement monitoring to detect dropped subscriptions.
The HMAC signature is computed over a concatenation of the message ID, timestamp, and raw body — verify using the raw (unparsed) request body bytes.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp