Redirect URIs

We are currently in the process of changing how we validate the redirect_uri parameter. What is described below as best practices will be enforced in the future. To better understand how and when this will happen, please refer to the Spotify Developer Community.

When you create an app, you need to specify a redirect URI. This is the URI to which Spotify redirects the user after they have granted or denied permission to your app. The redirect URI is required for the authorization code flow and implicit grant flow. The definition of the redirect URI must exactly match the redirect URI you provide when you create your app. The only exception is for loopback IP literals, which can dynamically be assigned ports.

Best practices

Since we at Spotify, take security very seriously you must follow these best practices when defining your redirect URI:

Use HTTPS for your redirect URI, unless you are using a loopback address, when HTTP is permitted.
If you are using a loopback address, use the explicit IPv4 or IPv6, like http://127.0.0.1:PORT or http://[::1]:PORT as your redirect URI.
Avoid using localhost as your redirect URI.

Loopback addresses and port numbers

When using a loopback IP literal, you might not know the port number used in advance if it can be assigned dynamically. If you don't know the port number in advance, register your redirect URI with a loopback IP literal, but without any port number. You can add the dynamically assigned port number to the redirect URI in the authorization request. Please note that this is only supported for loopback IP literals, and not for other redirect URIs. This is on-par with the IETF recommendations.

Examples

Here are some examples of redirect URIs:


_10    https://example.com/callback
_10    http://127.0.0.1:8000/callback
_10    http://[::1]:8000/callback