The Client Credentials flow is used in server-to-server authentication. Since this flow does not include authorization, only endpoints that do not access user information can be accessed.

The following diagram shows how the Client Credentials Flow works:

Client Credentials Flow Client Credentials Flow


This guide assumes that you have created an app following the app settings guide.

Source Code

You can find an example app implementing Client Credentials flow on GitHub in the web-api-auth-examples repository.

Request authorization

The first step is to send a POST request to the /api/token endpoint of the Spotify OAuth 2.0 Service with the following parameters encoded in application/x-www-form-urlencoded:

grant_type Required
Set it to client_credentials.

The headers of the request must contain the following parameters:

Authorization Required
Base 64 encoded string that contains the client ID and client secret key. The field must have the format: Authorization: Basic <base64 encoded client_id:client_secret>
Content-Type Required
Set to application/x-www-form-urlencoded.


The following JavaScript creates and sends an authorization request:

var client_id = 'CLIENT_ID';
var client_secret = 'CLIENT_SECRET';

var authOptions = {
  url: '',
  headers: {
    'Authorization': 'Basic ' + (new Buffer(client_id + ':' + client_secret).toString('base64'))
  form: {
    grant_type: 'client_credentials'
  json: true
};, function(error, response, body) {
  if (!error && response.statusCode === 200) {
    var token = body.access_token;

If everything goes well, you’ll receive a response similar to this containing the Access Token:

   "access_token": "NgCXRKc...MzYjw",
   "token_type": "bearer",
   "expires_in": 3600

What’s next?

Learn how to use an access token to fetch track information from the Spotify Web API in the How to use the Access Token guide.