Access tokens issued from the Spotify account service has a lifetime of one hour. If a longer session is desired Spotify account service supports the OAuth Code grant flow. The iOS-SDK provides helper functionality to simplify the use of the Code grant flow.

By setting tokenSwapURL and tokenRefreshURL it is possible for the iOS-SDK to request a new access token with a refresh token whenever needed. The iOS-SDK demo project has a ruby example of the needed back-end services. The example is not recommended to use in production.

This page contains a description of the requests done by the iOS-SDK and the expected responses.

tokenSwapURL

Swaps a code for an access token and a refresh token.

Request Headers

Header Value
Content-Type application/x-www-form-urlencoded

Request Body

Parameter description
code The code returned from Spotify account service to be used in the token request.

Request Example

curl -X POST "https://example.com/v1/swap” -H "Content-Type: application/x-www-form-urlencoded" --data “code=AQDy8...xMhKNA”

Expected Response Headers

Header Value
Content-Type application/json

Expected Response Body Parameters

Parameters must be JSON encoded.

Parameter description
access_token Access token received from Spotify account service.
expires_in The time period (in seconds) for which the access token is valid. Returned from the Spotify account service.
refresh_token The refresh token returned from the Spotify account service. It should not return the actual refresh token but a reference to the token or an encrypted version of the token. Encryption solution is shown in the ruby example.

Response Example

{
 "access_token" : "NgAagA...Um_SHo",
 "expires_in" : "3600",
 "refresh_token" : "NgCXRK...MzYjw"
}

tokenRefreshURL

Uses the refresh token to get a new access token.

Request Headers

Header Value
Content-Type application/x-www-form-urlencoded

Request Body

Parameter description
refresh_token The refresh_token value previously returned from the token swap endpoint.

Request Example

curl -X POST "https://example.com/v1/refresh" -H "Content-Type: application/x-www-form-urlencoded" --data "refresh_token=NgCXRK...MzYjw"

Expected Response Headers

Header Value
Content-Type application/json

Expected Response Body Parameters

Parameter description
access_token Access token received from Spotify account service.
expires_in The time period (in seconds) for which the access token is valid. Returned from the Spotify account service.

Response Example

{
 "access_token" : "NgAagA...Um_SHo",
 "expires_in" : "3600"
}