Reference Application to connect to spotify API to request currently playing songs.
Prerequisites
This guide assumes that you have created an app following the app settings guide.
Source Code
You can find an example app implementing Client Credentials flow on
GitHub in the web-api-auth-examples repository.
Request authorization
The first step is to send a POST request to the
/api/token endpoint of the Spotify OAuth 2.0 Service with the
following parameters encoded in application/x-www-form-urlencoded:
REQUEST BODY PARAMETER VALUE
grant_type Required
Set it to client_credentials.
The headers of the request must contain the following parameters:
HEADER PARAMETER VALUE
Authorization Required
Base 64 encoded string that contains the client ID and client secret key.
The field must have the format:
Authorization: Basic <base64 encoded client_id:client_secret>
Content-Type Required
Set to application/x-www-form-urlencoded.
If the user accepted your request, then your app is ready to exchange the authorization code for an Access Token. It can do this by making a POST
request to the /api/token
endpoint.
The body of this POST
request must contain the following parameters encoded in application/x-www-form-urlencoded
:
REQUEST BODY PARAMETER
grant_type _Required_
This field must contain the value `"authorization_code"`.
code _Required_
The authorization code returned from the previous request.
redirect_uri _Required_
This parameter is used for validation only (there is no actual redirection).
The value of this parameter must exactly match the value
of `redirect_uri` supplied when requesting the authorization code.
If you are implementing the PKCE extension, these additional parameters must be included as well:
REQUEST BODY PARAMETER
client_id _Required._
The client ID for your app, available from the developer dashboard.
code_verifier _Required._
The value of this parameter must match the value of the `code_verifier`
that your app generated in the previous step.
The request must include the following HTTP headers:
HEADER PARAMETER
Authorization _Required_
Base 64 encoded string that contains the client ID and client secret key.
The field must have the format:
`Authorization: Basic <base64 encoded client_id:client_secret>`
Content-Type _Required_
Set to `application/x-www-form-urlencoded`.
![image](https://user-images.githubusercontent.com/66242615/161763646-6be45b80-0c4f-47d2-8bb9-0af38a2cbcf9.png)
##How to create a Spotify refresh token the easy way
In this guide I will explain how to manually generate a Spotify refresh token then use that to programmatically create an access token when needed.
My use case was for my wwoz_to_spotify project in which I have a long running cronjob that needs to update a Spotify playlist. Since the job runs in the background I needed a way to avoid the Spotify login pop-up during the authorization flow. The solution is to manually generate a Spotify refresh token then use that to create an access token when needed.
Visit your Spotify developers dashboard then select or create your app. Note down your Client ID, Client Secret, and Redirect URI in a convenient location to use in Step 2.
Visit the following URL after replacing $CLIENT_ID
, $SCOPE
, and $REDIRECT_URI
with the information you noted in Step 1. Make sure the $REDIRECT_URI
is URL encoded.
https://accounts.spotify.com/authorize?response_type=code&client_id=$CLIENT_ID&scope=$SCOPE&redirect_uri=$REDIRECT_URI
My url looked like this
https://accounts.spotify.com/authorize?response_type=code&client_id=$CLIENT_ID&scope=playlist-modify-private&redirect_uri=https%3A%2F%2Fbenwiz.io
I was redirected to the following URL because my redirect URI was set to https://benwiz.io. In place of $CODE
there was a very long string of characters. Copy that string and note it down for use in Step 4.
https://benwiz.io/?code=$CODE
Running the following CURL command will result in a JSON string that contains the refresh token, in addition to other useful data. Again, either replace or export the following variables in your shell $CILENT_ID
, $CLIENT_SECRET
, $CODE
, and $REDIRECT_URI
.
curl -d client_id=$CLIENT_ID -d client_secret=$CLIENT_SECRET -d grant_type=authorization_code -d code=$CODE -d redirect_uri=$REDIRECT_URI https://accounts.spotify.com/api/token
The result will be a JSON string similar to the following. Take the refresh_token
and save that in a safe, private place. This token will last for a very long time and can be used to generate a fresh access_token
whenever it is needed.
{
"access_token": "$ACCESS_TOKEN",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "$REFRESH_TOKEN",
"scope": "playlist-modify-private"
}