On Wednesday 29th June we will release an update for all client IDs to enable your application to read which scopes have been granted by the user when requesting or refreshing access tokens.

After the change, any calls made to https://accounts.spotify.com/api/token in order to request or refresh tokens on behalf of a user will additionally return a space-separated list of the scopes granted in that token.

Current response:

{
  "expires_in": 3600,
  "token_type": "Bearer",
  "access_token": "<data>",
  "refresh_token": "<data>"
}

Response as of 29th June 2016:

{
  "expires_in": 3600,
  "scope": "scope1 scope2 scope3",
  "token_type": "Bearer",
  "access_token": "<data>",
  "refresh_token": "<data>"
}

This change allows your application to know whether you need to ask an individual user to re-authenticate with new scopes after you have added new functionality into your implementation, or whether the token you are refreshing already contains permission for all the necessary scopes.

In most cases, you should not need to take any action in preparation for this change, unless your implementation cannot cope with additional information being provided.