Redirect URIs

When you create an app, you need to specify a redirect URI. This is the URI to which Spotify redirects the user after they have granted or denied permission to your app. The redirect URI is required for the authorization code flow and implicit grant flow. The definition of the redirect URI must exactly match the redirect URI you provide when you create your app. The only exception is for loopback IP literals, which can dynamically be assigned ports.

Since we at Spotify, take security very seriously you must follow these requirements when defining your redirect URI:

• Use HTTPS for your redirect URI, unless you are using a loopback address, when HTTP is permitted.
• If you are using a loopback address, use the explicit IPv4 or IPv6, like http://127.0.0.1:PORT or http://[::1]:PORT as your redirect URI.
• localhost is not allowed as redirect URI.

When using a loopback IP literal, you might not know the port number used in advance if it can be assigned dynamically. If you don't know the port number in advance, register your redirect URI with a loopback IP literal, but without any port number. You can add the dynamically assigned port number to the redirect URI in the authorization request. Please note that this is only supported for loopback IP literals, and not for other redirect URIs. This is on-par with the IETF recommendations.

Here are some examples of redirect URIs: