Spotify Community

Plan

Premium

Country

Belgium

Device

Galaxy S20FE, but also tested on other devices / emulators

Operating System

Android 11

My Question or Issue

Using the Android auth library provides an access token with insufficient permissions, even though the scopes are set correctly. Using this access code on simple calls such as https://api.spotify.com/v1/me provides a 'Forbidden' response.

I have checked the authorization request, and notice the correct scopes are provided. The user is indeed redirected to a webview containing all these permissions. Upon accepting them, an access token is provided, as expected. The request URL is as follows:

Spotify Auth starting with the request [https://accounts.spotify.com/authorize?client_id=<HIDDEN>
&response_type=token
&redirect_uri=spotify-sdk%3A%2F%2Fauth
&show_dialog=false
&utm_source=spotify-sdk
&utm_medium=android-sdk
&utm_campaign=android-sdk
&scope=streaming%20user-read-email%20user-read-private%20user-read-currently-playing%20user-read-playback-state%20user-modify-playback-state%20user-top-read%20playlist-modify-public%20playlist-modify-private%20playlist-read-private]

However, when using the access token for any API request, the following message is returned:

Forbidden

I am unsure what I am doing wrong here. Using the provided token in other applications (such as Postman) provides the same result. When creating an access token through the online console (https://developer.spotify.com/console/), it does provide the expected results. So I am quite confident the calls are correct.

I should also mention I tested this with a different account a week ago, and it still seems to work using the exact same code (even when removing the app's permissions from the profile, or when trying it on a completely new device!). That account is also the one that registered the application on the online dashboard. It is only when I started testing this with other accounts that it started going wrong. I also tested this on devices which never had Spotify (or my app) installed before, so I do not think it is a caching issue. I am unsure if there are further differences... The account that works uses "Premium for family". The other accounts that don't work are using the "Premium for students" plan and a trial version. 

Expected result

The provided token should provide a correct response for these API calls.

Here is the relevant code for performing the request:

AuthorizationRequest.Builder builder = new AuthorizationRequest.Builder(CLIENT_ID, AuthorizationResponse.Type.TOKEN, getRedirectUri().toString()).setScopes(scopes);
AuthorizationRequest authRequest = builder.build();

loginButton.setOnClickListener((cl) -> AuthorizationClient.openLoginActivity(this, REQUEST_CODE, authRequest));

// ...
protected void onActivityResult(int requestCode, int resultCode, Intent intent) {
        super.onActivityResult(requestCode, resultCode, intent);

        // Check if result comes from the correct activity
        if (requestCode == REQUEST_CODE) {
            AuthorizationResponse response = AuthorizationClient.getResponse(resultCode, intent);

            switch (response.getType()) {
                // Response was successful and contains auth token
                case TOKEN:
                    // Handle successful response
                    Log.d("MainActivity", "Token received");
                    UserData ud = new UserData();
                    ud.setAccessToken(response.getAccessToken());

EDIT: formatting