Question #

I'm building a Python app that needs to access user playlists and their content via the Spotify API. Here's my current code:

import os
import base64
from requests import post, get
import json

clientid = "why would you want to see it"
clientsecret = "no"

def getToken():
    auth_string = clientid + ":" + clientsecret
    auth_bytes = auth_string.encode("utf-8")
    auth_base64 = str(base64.b64encode(auth_bytes), "utf-8")

    url = "https://accounts.spotify.com/api/token"
    headers = {
        "Authorization": "Basic "+auth_base64,
        "Content-Type": "application/x-www-form-urlencoded"
    }
    data = {
        "grant_type": "client_credentials"
    }
    result = post(url, headers=headers, data=data)
    json_result = json.loads(result.content)
    token = json_result["access_token"]
    return token

def get_auth_header(token):
    return {"Authorization": "Bearer "+token}

def get_playlist(token, playlist_id):
    url = "https://api.spotify.com/v1/playlists/"
    headers = get_auth_header(token)
    query_url = url + playlist_id +"/tracks"
    result = get(query_url, headers=headers)
    print(token)
    print(query_url)
    print(result)

token = getToken()
get_playlist(token, "021tegZzZnT8YEpLr0lC3V")

The playlist ID in the last line refers to a public playlist. I even tried using the "search" endpoint to look up artists, but all requests return a 403 Forbidden error. When I send requests via ThunderClient, I also get 403 with a message saying Spotify Premium is required. My developer dashboard mentions needing Premium, but I've seen plenty of video tutorials that use the API without it. Since not all my app's users will have Premium, I'm wondering:

• Why can't I use the Spotify Web API for free now?
• How can I fix this permission issue?

Answer #

Great question—let me break this down clearly for you. The root of your 403 error comes down to two key things: the authorization flow you’re using and the context Spotify requires for certain endpoints.

First, let’s unpack the client_credentials flow you’re currently using:

• This flow is meant for server-to-server requests that don’t need access to user-specific data. It only grants your app access to public Spotify data, but Spotify has tightened restrictions lately—even public playlist endpoints now expect a user context (i.e., an authenticated user, even a free one) to serve data. The client credentials flow doesn’t provide that user context, which is why you’re hitting the "requires Premium" block (the error message is a bit misleading here—it’s not about Premium status, but about missing user authentication).

The tutorials you saw worked because they used a different flow:

• Most guides rely on the Authorization Code Flow (or PKCE for mobile/web apps). This flow authenticates a specific user (free or Premium), and once you have a user access token, you can access public playlists (and even the user’s own playlists if you request the right scopes) without needing a Premium subscription. This user context is what Spotify’s endpoints are looking for now.

How to fix your issue: #

Switch to the Authorization Code Flow. Here’s a simplified, working Python example to get you started (this is for server-side apps; use PKCE if building client-side apps like React or mobile):

import os
import base64
from requests import post, get
import json
from urllib.parse import urlencode

client_id = "your_client_id"
client_secret = "your_client_secret"
redirect_uri = "http://localhost:8080/callback"  # Match this to your Spotify Developer Dashboard settings

# Step 1: Generate the authorization URL to send the user to
def get_auth_url():
    # Request the scope needed to read public playlists
    scopes = "playlist-read-public"
    params = {
        "client_id": client_id,
        "response_type": "code",
        "redirect_uri": redirect_uri,
        "scope": scopes,
        "show_dialog": True  # Forces the user to re-authorize if needed
    }
    return "https://accounts.spotify.com/authorize?" + urlencode(params)

# Step 2: Exchange the authorization code for an access token
def get_token_from_code(code):
    auth_string = f"{client_id}:{client_secret}"
    auth_bytes = auth_string.encode("utf-8")
    auth_base64 = str(base64.b64encode(auth_bytes), "utf-8")

    url = "https://accounts.spotify.com/api/token"
    headers = {
        "Authorization": f"Basic {auth_base64}",
        "Content-Type": "application/x-www-form-urlencoded"
    }
    data = {
        "grant_type": "authorization_code",
        "code": code,
        "redirect_uri": redirect_uri
    }
    result = post(url, headers=headers, data=data)
    json_result = json.loads(result.content)
    return json_result["access_token"], json_result.get("refresh_token")

# Step 3: Fetch playlist tracks using the user's access token
def get_playlist(token, playlist_id):
    url = f"https://api.spotify.com/v1/playlists/{playlist_id}/tracks"
    headers = {"Authorization": f"Bearer {token}"}
    result = get(url, headers=headers)
    
    if result.status_code == 200:
        return json.loads(result.content)
    else:
        print(f"Request failed: {result.status_code} - {result.text}")
        return None

# Walk through the flow:
# 1. Get the auth URL and have the user log in (free accounts work!)
auth_url = get_auth_url()
print(f"Open this URL in your browser to authorize: {auth_url}")
code = input("Paste the authorization code from the callback URL here: ")

# 2. Exchange the code for tokens
access_token, refresh_token = get_token_from_code(code)

# 3. Fetch the public playlist
playlist_data = get_playlist(access_token, "021tegZzZnT8YEpLr0lC3V")
if playlist_data:
    print(json.dumps(playlist_data, indent=2))

Key notes to keep in mind: #

• No Premium required: Free users can authorize your app and access public playlists (and their own playlists) perfectly fine with this flow.
• Update your dashboard: Make sure you’ve added the redirect_uri to your app’s settings in the Spotify Developer Dashboard—otherwise the authorization step will fail.
• Client-side apps? Use PKCE: If you’re building a web or mobile app where you can’t safely store the client secret, use the Authorization Code Flow with PKCE to avoid exposing sensitive credentials.

To wrap it up: The client credentials flow lacks the user context Spotify now requires for playlist endpoints. Switching to the Authorization Code Flow (with a free user’s authentication) will resolve your 403 error and let your app work for users without Premium.

内容的提问来源于stack exchange，提问作者skinnyleonard