Client Credentials Flow

The Client Credentials flow is used in server-to-server authentication. Since this flow does not include authorization, only endpoints that do not access user information can be accessed.

The following diagram shows how the Client Credentials Flow works:

Pre-requisites

This guide assumes that:

You have read the authorization guide.
You have created an app following the app guide.

Source Code

You can find an example app implementing Client Credentials flow on GitHub in the web-api-examples repository.

Request authorization

The first step is to send a POST request to the /api/token endpoint of the Spotify OAuth 2.0 Service with the following parameters encoded in application/x-www-form-urlencoded:

REQUEST BODY PARAMETER	VALUE
grant_type	Required Set it to `client_credentials`.

The headers of the request must contain the following parameters:

HEADER PARAMETER	VALUE
Authorization	Required Base 64 encoded string that contains the client ID and client secret key. The field must have the format: Authorization: `Basic <base64 encoded client_id:client_secret>`
Content-Type	Required Set to `application/x-www-form-urlencoded`.

Example

The following JavaScript creates and sends an authorization request:

var client_id = 'CLIENT_ID';
var client_secret = 'CLIENT_SECRET';
var authOptions = {
  url: 'https://accounts.spotify.com/api/token',
  headers: {
    'Authorization': 'Basic ' + (new Buffer.from(client_id + ':' + client_secret).toString('base64'))
  },
  form: {
    grant_type: 'client_credentials'
  },
  json: true
};
request.post(authOptions, function(error, response, body) {
  if (!error && response.statusCode === 200) {
    var token = body.access_token;
  }
});

If everything goes well, you'll receive a response similar to this containing the Access Token:

{
   "access_token": "NgCXRKc...MzYjw",
   "token_type": "bearer",
   "expires_in": 3600
}

What's next?

Learn how to use an access token to fetch data from the Spotify Web API in the Access Token guide.