Skip to main content


In order to access Spotify's data, you will need a dedicated Spotify application (and, of course, a Spotify account). If you don't have one already, click the link below and create one. It's free!

After having created your application, click edit and add the following two redirect URLs:

  • http://localhost:3000 (optional)

Whitelisting the first URL enables you to create both short-lived access and long-lived refresh tokens directly on this page using the helper below.

The second URL is needed when you want to generate a long-lived token locally. You don't have to add it in your Spotify application. It's only needed when you want to use the auth-token package.

Supported Grant Flows and Tokens

Spotify implements the OAuth 2.0 authorization framework. Out of all authorization flows, we're particularly interested in two of them: Implicit Grant Flow and Authorization Code Flow. Both of these methods eventually let us access user-related data on Spotify. Below is an excerpt from the Spotify documentation (May 2022).

Implicit Grant Flow

The implicit grant flow is carried out on the client side and it does not involve secret keys. Thus, you do not need any server-side code to use it. Access tokens issued are short-lived with no refresh token to extend them when they expire.

Authorization Code Flow

The authorization code flow is suitable for long-running applications (e.g. web and mobile apps) where the user grants permission only once.

In short:

  • The Authorization Code Flow involves exchanging a client secret. It generates both a short-lived access and long-lived refresh token that can be used to independently renew the access token.
  • The Implicit Grant Flow does not include and secrets. It can only be carried out in a browser. The result is a short-lived access token.

Getting an access token

In order to authenticate with Spotify, most packages need a (short-lived) access token. If you're unsure what you need, Implicit Grant is a good start! Tokens obtained from this flow expire after one hour and do not require the exchange of any secrets.

These short-lived tokens are saved locally in this browser as long as they are valid. If you select the Authorization Code Flow, the generated refresh token will not be saved in your browser. Copy it before you leave the page!

Last but not least, note that all packages that require a token will list what scopes are needed.