Authorization Methods
Learn about the authorization methods we can use for the Spotify API.
We'll cover the following
The API calls made to any endpoint of Spotify API are validated based on whether the provided access token is valid or not. Spotify uses the OAuth 2.0 framework to provide these access tokens. In this lesson, we’ll discuss different types of flows Spotify API provides us to get access tokens.
Types of flows
Spotify API provides the following four types of flows to get an access token:
code_verifier, which the API server authenticates before responding to the access code requests.Based on our requirements, we can use any of these flows for our app.
Comparison of authorization flows
The table below shows the significant differences between these workflows based on some key factors:
Type of authorization flow | Requires user's permission | Can be refreshed | Is short-lived | Can be used to access or modify user's resources |
Authorization code | Yes | Yes | No | Yes |
Authorization code with PKCE | Yes | Yes | No | Yes |
Client credentials | No | No | No | No |
Implicit grant | Yes | No | Yes | Yes |
This course will use both authorization code and client credentials flow. We'll use the authorization code token for the user-specific endpoint and the client credentials token for all the public endpoints. Although we can use the authorization code token for public endpoints as well, we'll learn about the client credentials token too, just in case we might want to make an app for the users who have no Spotify account.