Hi All,

Apologies this is written by Claude, but at least it includes all the relvant data!

Problem

POST /v1/playlists/{playlist_id}/tracks consistently returns 403 "Forbidden" with no WWW-Authenticate header, even though:

The token has all required scopes
The same token successfully creates playlists via POST /v1/me/playlists
The playlist is owned by the authenticated user
The user is registered as a test user in the app's User Management

What works ✓

GET /v1/me → 200 (user: xxxxxx, product: premium)
POST /v1/me/playlists → 201 (playlist created, public: true, owner: xxxxxx)
All read endpoints (search, albums, tracks)

What fails ✗

POST /v1/playlists/{id}/tracks → 403 {"error":{"status":403,"message":"Forbidden"}}
PUT /v1/playlists/{id}/tracks → same 403
Same result from browser (native fetch) and server (Node.js native fetch + node-fetch)
Tried query-param format (?uris=...) — same 403
Tried collaborative private playlist — same 403
Token scopes granted (confirmed from /api/token response):

playlist-modify-private playlist-modify-public user-read-email user-read-private user-top-read

Server log showing the inconsistency:

POST /me/playlists → 201 {"public":true,"collaborative":false,"owner":{"id":"xx"}}GET /playlists/{id}?fields=public,collaborative,owner → public:true, owner:xx

POST /playlists/{id}/tracks → 403 {"error":{"status":403,"message":"Forbidden"}}
WWW-Authenticate header: null

Key detail: This functionality worked in an earlier version of the same app with the same client ID.

No changes were made to the Spotify Developer Dashboard between then and now.

Questions:

What does 403 "Forbidden" with no WWW-Authenticate header mean specifically for POST /playlists/{id}/tracks?

Is there an app-level approval step required for this endpoint that's separate from the standard Development Mode 25-user limit?

If so, how do we request it — I can't find an "Extended Access" option in the dashboard?

Thanks!