Authorization Methods

Learn about the authorization methods we can use for the Spotify API.

The API calls made to any endpoint of Spotify API are validated based on whether the provided access token is valid or not. Spotify uses the OAuth 2.0 framework to provide these access tokens. In this lesson, we’ll discuss different types of authorization flow Spotify API provides us to get access tokens.

Types of authorization flow

Spotify API provides the following four types of authorization flow to get an access token:

  • Authorization code: In this authorization flow, the Spotify API server acts as an intermediary between the end user and us. We redirect the user to the Spotify API server, where the user logs in and grants us the required permissions. Once access has been granted, we get a code to give us the required permissions. We can use this code to get an access token, which can then be used while making the API calls.

  • Authorization code with PKCEProof Key for Code Exchange: This is the same authorization flow as the authorization code but more secure. It has an extra parameter called code_verifier, which the API server authenticates before responding to the access code requests.

  • Client credentials: This provides authentication rather than authorization because it doesn't require any permissions from the end user. We can request this access token by just using our credentials—Client ID and Client Secret.

  • Implicit grant: This is the same as the authorization code, but instead of getting an intermediary code, we directly get the access token using this authorization flow. However, it has a very short lifespan and cannot be refreshed.

Based on our requirements, we can use any of these authorization flows for our app.

Comparison of authorization flows

The table below shows the significant differences between these workflows based on some key factors:

Type of authorization flow

Requires user's permission

Can be refreshed

Is short-lived

Can be used to access or modify user's resources

Authorization code

Yes

Yes

No

Yes

Authorization code with PKCE

Yes

Yes

No

Yes

Client credentials

No

No

No

No

Implicit grant

Yes

No

Yes

Yes

This course will use both authorization code and client credentials flow. We'll use the authorization code token for user-specific endpoints and the client credentials token for all public endpoints. Although we can use the authorization code token for public endpoints as well, we'll learn about the client credentials token too, just in case we might want to make an app for the users who have no Spotify account.