https://community.spotify.com/t5/Spotify-for-Developers/Errors-in-authorization-code-flow-documentation-for-refreshing/m-p/5386917#M4690 <P>According to the <A href="https://developer.spotify.com/documentation/general/guides/authorization/code-flow/" target="_self">authorization code flow</A> documentation, in order to use a refresh token to receive a new access token we need to POST a request to <A href="https://accounts.spotify.com/api/token" target="_blank">https://accounts.spotify.com/api/token</A>&nbsp;with the following fields in the x-www-form-urlencoded body:</P><P>&nbsp;</P><UL><LI><SPAN>grant_type</SPAN></LI><LI><SPAN>refresh_token</SPAN></LI></UL><P><SPAN>And send an HTTP basic authorization header with the base64 "client_id:client_secret" value. That all translate into something like:</SPAN></P><P>&nbsp;</P><PRE><SPAN>curl https://accounts.spotify.com/api/token \<BR /> -d 'grant_type=refresh_token' \<BR /> -d 'refresh_token=...' \<BR /> -H "Authorization: Basic $(echo -n "$client_id:$client_secret"|base64 -w0)"</SPAN></PRE><P>&nbsp;</P><P><SPAN>..but this doesn't appear to work. Following the suggestion of some random person on github, I am able to successfully request a new access token if I get rid of the authorization header and include in the request body:</SPAN></P><P>&nbsp;</P><UL><LI><SPAN>grant_type</SPAN></LI><LI><SPAN>refresh_token</SPAN></LI><LI><SPAN>client_id</SPAN></LI><LI><SPAN>client_secret</SPAN></LI></UL><P><SPAN>That is:</SPAN></P><PRE><SPAN>curl https://accounts.spotify.com/api/token \<BR /> -d 'grant_type=refresh_token' \<BR /> -d 'refresh_token=...' \<BR /> -d "client_id=$client_id" \<BR /> -d "client_secret=$client_secret"</SPAN></PRE><P>&nbsp;</P><P><SPAN>Is the documentation incorrect? Am I just lucky that the second form of the request works, even though it's not documented?&nbsp; Thanks!</SPAN></P> Fri, 27 May 2022 01:39:57 GMT larsks 2022-05-27T01:39:57Z https://community.spotify.com/t5/Spotify-for-Developers/Errors-in-authorization-code-flow-documentation-for-refreshing/m-p/5386917#M4690 <P>According to the <A href="https://developer.spotify.com/documentation/general/guides/authorization/code-flow/" target="_self">authorization code flow</A> documentation, in order to use a refresh token to receive a new access token we need to POST a request to <A href="https://accounts.spotify.com/api/token" target="_blank">https://accounts.spotify.com/api/token</A>&nbsp;with the following fields in the x-www-form-urlencoded body:</P><P>&nbsp;</P><UL><LI><SPAN>grant_type</SPAN></LI><LI><SPAN>refresh_token</SPAN></LI></UL><P><SPAN>And send an HTTP basic authorization header with the base64 "client_id:client_secret" value. That all translate into something like:</SPAN></P><P>&nbsp;</P><PRE><SPAN>curl https://accounts.spotify.com/api/token \<BR /> -d 'grant_type=refresh_token' \<BR /> -d 'refresh_token=...' \<BR /> -H "Authorization: Basic $(echo -n "$client_id:$client_secret"|base64 -w0)"</SPAN></PRE><P>&nbsp;</P><P><SPAN>..but this doesn't appear to work. Following the suggestion of some random person on github, I am able to successfully request a new access token if I get rid of the authorization header and include in the request body:</SPAN></P><P>&nbsp;</P><UL><LI><SPAN>grant_type</SPAN></LI><LI><SPAN>refresh_token</SPAN></LI><LI><SPAN>client_id</SPAN></LI><LI><SPAN>client_secret</SPAN></LI></UL><P><SPAN>That is:</SPAN></P><PRE><SPAN>curl https://accounts.spotify.com/api/token \<BR /> -d 'grant_type=refresh_token' \<BR /> -d 'refresh_token=...' \<BR /> -d "client_id=$client_id" \<BR /> -d "client_secret=$client_secret"</SPAN></PRE><P>&nbsp;</P><P><SPAN>Is the documentation incorrect? Am I just lucky that the second form of the request works, even though it's not documented?&nbsp; Thanks!</SPAN></P> Fri, 27 May 2022 01:39:57 GMT https://community.spotify.com/t5/Spotify-for-Developers/Errors-in-authorization-code-flow-documentation-for-refreshing/m-p/5386917#M4690 larsks 2022-05-27T01:39:57Z