topic Understanding PKCE Flow and Rate Limiting in Spotify for Developers https://community.spotify.com/t5/Spotify-for-Developers/Understanding-PKCE-Flow-and-Rate-Limiting/m-p/6687629#M16820 <P><STRONG>Hi, I'm integrating Spotify into my web application and have some questions about the PKCE flow. Specifically, I'm wondering about its security and purpose.</STRONG></P><P>With PKCE, the browser receives both the access and refresh tokens. However, Spotify enforces rate limits at the application level. This raises a concern: What prevents a user from obtaining their own access and refresh tokens and using them to spam requests to Spotify? This could quickly exhaust the app-wide rate limit, affecting all users.</P><P>Does Spotify have a mechanism to rate-limit individual users to prevent this kind of abuse? And if not, do I need to handle per-user rate limiting on my own? If I still need to manage rate limiting server-side, what’s the purpose of using PKCE at all, if I ultimately need to proxy requests through my backend?</P><P>&nbsp;</P><P><STRONG>Plan</STRONG></P><P>Premium</P><P>&nbsp;</P><P><STRONG>Operating System</STRONG></P><P>Windows 10</P> Sat, 01 Feb 2025 20:27:55 GMT jmbogs 2025-02-01T20:27:55Z Understanding PKCE Flow and Rate Limiting https://community.spotify.com/t5/Spotify-for-Developers/Understanding-PKCE-Flow-and-Rate-Limiting/m-p/6687629#M16820 <P><STRONG>Hi, I'm integrating Spotify into my web application and have some questions about the PKCE flow. Specifically, I'm wondering about its security and purpose.</STRONG></P><P>With PKCE, the browser receives both the access and refresh tokens. However, Spotify enforces rate limits at the application level. This raises a concern: What prevents a user from obtaining their own access and refresh tokens and using them to spam requests to Spotify? This could quickly exhaust the app-wide rate limit, affecting all users.</P><P>Does Spotify have a mechanism to rate-limit individual users to prevent this kind of abuse? And if not, do I need to handle per-user rate limiting on my own? If I still need to manage rate limiting server-side, what’s the purpose of using PKCE at all, if I ultimately need to proxy requests through my backend?</P><P>&nbsp;</P><P><STRONG>Plan</STRONG></P><P>Premium</P><P>&nbsp;</P><P><STRONG>Operating System</STRONG></P><P>Windows 10</P> Sat, 01 Feb 2025 20:27:55 GMT https://community.spotify.com/t5/Spotify-for-Developers/Understanding-PKCE-Flow-and-Rate-Limiting/m-p/6687629#M16820 jmbogs 2025-02-01T20:27:55Z