Authorization Methods

Types of authorization flow

Spotify API provides the following four types of authorization flow to get an access token:

• Authorization code: In this authorization flow, the Spotify API server acts as an intermediary between the end user and us. We redirect the user to the Spotify API server, where the user logs in and grants us the required permissions. Once access has been granted, we get a code to give us the required permissions. We can use this code to get an access token, which can then be used while making the API calls.

• Authorization code with PKCEProof Key for Code Exchange: This is the same authorization flow as the authorization code but more secure. It has an extra parameter called code_verifier, which the API server authenticates before responding to the access code requests.

• Client credentials: This provides authentication rather than authorization because it doesn't require any permissions from the end user. We can request this access token by just using our credentials—Client ID and Client Secret.

• Implicit grant: This is the same as the authorization code, but instead of getting an intermediary code, we directly get the access token using this authorization flow. However, it has a very short lifespan and cannot be refreshed.

Based on our requirements, we can use any of these authorization flows for our app.

Comparison of authorization flows

The table below shows the significant differences between these workflows based on some key factors:

This course will use both authorization code and client credentials flow. We'll use the authorization code token for user-specific endpoints and the client credentials token for all public endpoints. Although we can use the authorization code token for public endpoints as well, we'll learn about the client credentials token too, just in case we might want to make an app for the users who have no Spotify account.