Skip to content
Announcement:We are updating the criteria to be granted extended access to the Web API.
Please note that starting May 15, 2025 we’re introducing some changes to the way we provide Web API extended quota mode access. For more information, read here.

Redirect URIs

Error:

Beginning on the 9th of April 2025 we will enforce the subsequent validations to all newly created apps.


We expect all clients to migrate to the new redirect URI validation by November 2025.


To know more please refer to the Spotify Developer Blog.

When you create an app, you need to specify a redirect URI. This is the URI to which Spotify redirects the user after they have granted or denied permission to your app. The redirect URI is required for the authorization code flow and implicit grant flow. The definition of the redirect URI must exactly match the redirect URI you provide when you create your app. The only exception is for loopback IP literals, which can dynamically be assigned ports.

Requirements

Since we at Spotify, take security very seriously you must follow these requirements when defining your redirect URI:

  • Use HTTPS for your redirect URI, unless you are using a loopback address, when HTTP is permitted.
  • If you are using a loopback address, use the explicit IPv4 or IPv6, like http://127.0.0.1:PORT or http://[::1]:PORT as your redirect URI.
  • localhost is not allowed as redirect URI.

Loopback addresses and port numbers

When using a loopback IP literal, you might not know the port number used in advance if it can be assigned dynamically. If you don't know the port number in advance, register your redirect URI with a loopback IP literal, but without any port number. You can add the dynamically assigned port number to the redirect URI in the authorization request. Please note that this is only supported for loopback IP literals, and not for other redirect URIs. This is on-par with the IETF recommendations.

Examples

Here are some examples of redirect URIs:


_10
https://example.com/callback
_10
http://127.0.0.1:8000/callback
_10
http://[::1]:8000/callback