03 · Security

Rotate tokens. Know what breaks.

WES Alert ships two private tokens per account. Either can be regenerated at any time. This page tells you what each one does, when to rotate, and what reconnects on the other end.

How to regenerate

If you suspect a leak, do this first. The context — what each token does, when else to rotate, what breaks after — lives below.

  1. Open the dashboard, click Advanced Settings.
  2. Scroll to 03 · Tokens · Security.
  3. Click Regenerate next to the token you want to rotate. The old token is killed immediately and irreversibly.
  4. Copy the new value and paste it back where it was used — OBS Browser Source for the Overlay URL, Streamer.bot HTTP action for the Stream Key.
  5. Refresh the OBS Browser Source (right-click → Refresh) so it picks up the new URL.

Your tokens

Both tokens live in the dashboard under Advanced Settings → 03 · Tokens · Security. They are per-account secrets — never share them in screenshots, exports, or clip thumbnails.

Overlay URL

Used by the OBS Browser Source. The full URL carries your license key as a path segment, which is why the dashboard hides it by default.

If leaked: anyone with the URL can render your overlay in their own OBS — they'd see the same alerts you do. They can't post events as you (that path is Twitch-side), but they can mirror your overlay output.

Stream Key

Used by Streamer.bot to forward donations and custom triggers to WES Alert. Lives in your Streamer.bot HTTP action config.

If leaked: anyone with the key can post fake alerts (donations, custom events) to your overlay. This is the more dangerous of the two — rotate immediately if you suspect a leak.

When to rotate

Don't wait for a confirmed leak — rotate proactively in any of these cases:

  • The URL appeared in a screen share, a clip thumbnail, a screenshot you posted, or a chat message you sent.
  • You handed off the OBS profile, let a friend touch your machine, sold the PC, or returned a rental.
  • The Stream Key shows up in a Streamer.bot export, a public action file, a GitHub gist, a Discord channel.
  • You connected a third-party tool to either token and you no longer trust the tool.
  • Routine hygiene — rotating once or twice a year is healthy even without a specific trigger.

What breaks, what doesn't

After rotating the Overlay URL

  • Active OBS sessions disconnect. Any Browser Source still pointing at the old URL goes blank until you paste the new one.
  • The dashboard preview keeps working. The preview iframe uses your cookie-based session, not the URL.
  • Twitch events keep arriving. EventSub is tied to your Twitch OAuth, not to the overlay URL.

After rotating the Stream Key

  • Streamer.bot stops posting. Any HTTP action using the old key will return 401 until you update its Streamer.bot config.
  • Twitch native events keep arriving. The Stream Key only matters for Streamer.bot — follows / subs / gifts / cheers / raids come straight from EventSub and stay online.

Sessions vs tokens

Rotating a token does not log you out of the dashboard, and does not touch your Twitch OAuth connection. These are three separate trust surfaces:

  • Tokens (Overlay URL, Stream Key) — for machine-to-machine traffic. Rotated in Advanced Settings → Security.
  • Dashboard sessions — for your browser. Kill them with Log out (this device) or Log out of all devices (every device, recommended if you suspect your dashboard cookie leaked).
  • Twitch OAuth — for reading your channel's events. Revoke from Twitch settings → Connections, then reconnect from the dashboard.

Worst-case checklist. If you think everything has leaked at once, the order matters: (1) revoke and re-grant the Twitch OAuth first — that's the root of trust, so killing it invalidates any active WES session that re-authenticates through Twitch. (2) log out of all devices to clear lingering dashboard cookies. (3) rotate both tokens. Three actions, ~30 seconds.

Why this order? WES Alert has no password and no separate account database. We never see your Twitch password, and there is no "WES account" sitting next to your Twitch account — your Twitch login is your WES login. We trust whoever Twitch trusts. So as long as someone is signed into Twitch on their browser with access to your channel, they can re-authenticate to WES silently on the next page load (same OAuth, same trust, new session). Revoking the Twitch OAuth grant first breaks that loop at its root — only then does the WES logout actually stick.

Need the OBS setup?

The full Browser Source walkthrough is on /web-panel/setup.