Skip to content
Announcement:We are updating the criteria to be granted extended access to the Web API.
Please note that starting May 15, 2025 we’re introducing some changes to the way we provide Web API extended quota mode access. For more information, read here.

Client Credentials Flow

The Client Credentials flow is used in server-to-server authentication. Since this flow does not include authorization, only endpoints that do not access user information can be accessed.

The following diagram shows how the Client Credentials Flow works:

Client Credentials Flow

Pre-requisites

This guide assumes that:

Source Code

You can find an example app implementing Client Credentials flow on GitHub in the web-api-examples repository.

Request authorization

The first step is to send a POST request to the /api/token endpoint of the Spotify OAuth 2.0 Service with the following parameters encoded in application/x-www-form-urlencoded:

Body ParametersRelevanceValue
grant_typeRequiredSet it to client_credentials.

The headers of the request must contain the following parameters:

Header ParameterRelevanceValue
AuthorizationRequiredBase 64 encoded string that contains the client ID and client secret key. The field must have the format: Authorization: Basic <base64 encoded client_id:client_secret>
Content-TypeRequiredSet to application/x-www-form-urlencoded.

The following JavaScript creates and sends an authorization request:


_19
var client_id = 'CLIENT_ID';
_19
var client_secret = 'CLIENT_SECRET';
_19
_19
var authOptions = {
_19
url: 'https://accounts.spotify.com/api/token',
_19
headers: {
_19
'Authorization': 'Basic ' + (new Buffer.from(client_id + ':' + client_secret).toString('base64'))
_19
},
_19
form: {
_19
grant_type: 'client_credentials'
_19
},
_19
json: true
_19
};
_19
_19
request.post(authOptions, function(error, response, body) {
_19
if (!error && response.statusCode === 200) {
_19
var token = body.access_token;
_19
}
_19
});

Response

If everything goes well, you'll receive a response with a 200 OK status and the following JSON data in the response body:

keyTypeDescription
access_tokenstringAn access token that can be provided in subsequent calls, for example to Spotify Web API services.
token_typestringHow the access token may be used: always "Bearer".
expires_inintThe time period (in seconds) for which the access token is valid.

For example:


_10
{
_10
"access_token": "NgCXRKc...MzYjw",
_10
"token_type": "bearer",
_10
"expires_in": 3600
_10
}

What's next?

Learn how to use an access token to fetch data from the Spotify Web API by reading the access token guide.