Spotify request web api removing unauthenticated calls

Question

After removing unauthenticated calls to the Web API I have problem with getting a token. I have found on developer.spotify that I need make an authorization code flow. The biggest problem is:

It provides an access token that can be refreshed. Since the token exchange involves sending your secret key, this should happen on a secure location, like a backend service, not from a client like a browser or mobile apps.

Is there some another ways to use web api like "get track" or "search an item" without an authorization code flow?

Answer 1

Yes, you need to read about Client Credentials Flow.

The method makes it possible to authenticate your requests to the Spotify Web API and to obtain a higher rate limit than you would get without authentication.

You need to use your client_id and client_secret that you get after registration an app on developer.spotify.

The request will include parameter as grant_type in the request body with value "client_credentials" and a header must contain Authorization.

Required. Base 64 encoded string that contains the client ID and client secret key. The field must have the format: Authorization: Basic base64 encoded client_id:client_secret

All this information you can find in Web API Authorization Guide

An example how to get the token:

- (void)spotifyToken {
    NSString *body = @"grant_type=client_credentials";
    NSData *postData = [body dataUsingEncoding:NSASCIIStringEncoding allowLossyConversion:YES];
    NSString *prepareHeader = [NSString stringWithFormat:@"%@:%@",clientId, clientSecret];
    NSData *data = [prepareHeader dataUsingEncoding:NSUTF8StringEncoding];
    NSString *base64encoded = [data base64EncodedStringWithOptions:0];
    NSString *header = [NSString stringWithFormat:@"Basic %@", base64encoded];

    NSMutableURLRequest *request = [[NSMutableURLRequest alloc]init];
    [request setURL:[NSURL URLWithString:@"https://accounts.spotify.com/api/token"]];
    [request setHTTPBody:postData];
    [request setHTTPMethod:@"POST"];
    [request setValue:header forHTTPHeaderField:@"Authorization"];

    NSURLSession *session = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration defaultSessionConfiguration]];
    [[session dataTaskWithRequest:request completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) {
        if (!error) {
            dispatch_async(dispatch_get_main_queue(), ^{
                // saving somewhere token for further using
            });
        }
    }] resume];
}

Then you make almost the same request for for search an item. But instead POST you send GET with your token in header. It looks like:

NSString *token = [tokenData objectForKey:@"access_token"];
NSString *tokenType = [tokenData objectForKey:@"token_type"];

NSString *header = [NSString stringWithFormat:@"%@ %@", tokenType, token];
NSMutableURLRequest *request = [[NSMutableURLRequest alloc] init];

NSURL *url = [NSURL URLWithString:[NSString stringWithFormat:@"https://api.spotify.com/v1/search?%@",trackId]];

[request setValue:header forHTTPHeaderField:@"Authorization"];
[request setURL:url];

NSURLSession *session = [NSURLSession sessionWithConfiguration:[NSURLSessionConfiguration defaultSessionConfiguration]];
  [[session dataTaskWithRequest:request completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) {
    if (!error) {
        NSDictionary *json = [NSJSONSerialization JSONObjectWithData:data options:0 error:nil];
        // JSON with song is here
    }
}] resume];