https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6179839#M14387 <P>Even if in your code you reference an environment variable, that only protects an API key from bad actors snooping through repositories on GitHub. Any build process for React or purely front-end Next.js will ultimately stick that API key into the JavaScript bundle shipped to the client, and it'll be exposed. Think about it: the only way users will be able to use your API key from a purely front-end app is if its in front end code</P><P>&nbsp;</P><P>However, Next.js allows for a lot of server-side actions... and, for your use case, caching behavior. You could get away with simple API key usage with some specific Next.js caching config. And deploying Next.js to Vercel is pretty streamlined. The free tier for hosting is generous, but if you're looking to monetize your app, that's a different story</P> Sun, 07 Jul 2024 20:21:49 GMT smacklol 2024-07-07T20:21:49Z https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6158324#M14285 <P><STRONG>Plan</STRONG></P><P>Free/Premium</P><P><STRONG>Country</STRONG></P><P>&nbsp;</P><P><STRONG>Device</STRONG></P><P>(iPhone 8, Samsung Galaxy 9, Macbook Pro late 2016)</P><P><STRONG>Operating System</STRONG></P><P>(iOS 10, Android&nbsp;Oreo, Windows 10,etc.)</P><P>&nbsp;</P><P><STRONG>My Question or Issue</STRONG></P><P>Hi, I'm developing a front end React Application where the&nbsp;<EM>only</EM> things I want from the API are just a few specific playlists and some recommendations. I don't need/want users to sign in, and ideally only I need to sign in once and then it'll remain authorized. I can't use a back end server, which seems required for refresh tokens. Is that correct? What would be the best way to go about this</P> Wed, 26 Jun 2024 17:15:39 GMT https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6158324#M14285 Blyxie 2024-06-26T17:15:39Z https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6159787#M14292 <P>If you do not have a backend, then you need to get a token via <A href="https://developer.spotify.com/documentation/web-api/tutorials/code-pkce-flow" target="_blank">authorization</A> (user login). If you maintain a backend, then you can use <A href="https://developer.spotify.com/documentation/web-api/tutorials/client-credentials-flow" target="_self">client credentials</A> (no user login required).&nbsp;</P> <P>&nbsp;</P> <P>What kind of application are you developing? Maybe you have a need of a backend for some other feature in the application?</P> Thu, 27 Jun 2024 08:45:16 GMT https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6159787#M14292 LambertSpot 2024-06-27T08:45:16Z https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6160164#M14299 <P>It's more that I don't want to pay for a server to deploy the application, although I could use something like NextJS maybe and host that for free on Vercel? However, if the client secret was kept as an env variable, couldn't that hide it even in a front end?</P> Thu, 27 Jun 2024 13:01:45 GMT https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6160164#M14299 Blyxie 2024-06-27T13:01:45Z https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6167078#M14326 <P>Yes, there are several alternatives (Vercel, GCP, AWS, Azure, etc.) that could provide you with a free backend if your usage is low enough (tip is to configure spending limits / alerts to prevent you from getting a surprise invoice).&nbsp;</P> <P>&nbsp;</P> <P>As for why you should not keep API secrets in the front end code, you can find <A href="https://escape.tech/blog/how-to-secure-api-secret-keys/#:~:text=Such%20a%20practice%20makes%20your,found%20in%20a%20JavaScript%20file." target="_self">several resources online</A> about the topic. But basically anyone using your application could get a hold of it, and use it to make API requests using your quota, cost you money, or access data related to requests made using it.&nbsp;</P> <P>&nbsp;</P> <P>Alternatively you can have a user authorization flow, you can read more about it <A href="https://developer.spotify.com/documentation/web-api/tutorials/code-pkce-flow" target="_blank">here</A>. But then you need a user to login to query the API.</P> Mon, 01 Jul 2024 09:10:55 GMT https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6167078#M14326 LambertSpot 2024-07-01T09:10:55Z https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6179839#M14387 <P>Even if in your code you reference an environment variable, that only protects an API key from bad actors snooping through repositories on GitHub. Any build process for React or purely front-end Next.js will ultimately stick that API key into the JavaScript bundle shipped to the client, and it'll be exposed. Think about it: the only way users will be able to use your API key from a purely front-end app is if its in front end code</P><P>&nbsp;</P><P>However, Next.js allows for a lot of server-side actions... and, for your use case, caching behavior. You could get away with simple API key usage with some specific Next.js caching config. And deploying Next.js to Vercel is pretty streamlined. The free tier for hosting is generous, but if you're looking to monetize your app, that's a different story</P> Sun, 07 Jul 2024 20:21:49 GMT https://community.spotify.com/t5/Spotify-for-Developers/Understanding-Long-Term-Authorization/m-p/6179839#M14387 smacklol 2024-07-07T20:21:49Z