[Android SDK] Access token with correct scopes has insufficient permissions


[Android SDK] Access token with correct scopes has insufficient permissions

Casual Listener






Galaxy S20FE, but also tested on other devices / emulators

Operating System

Android 11


My Question or Issue


Using the Android auth library provides an access token with insufficient permissions, even though the scopes are set correctly. Using this access code on simple calls such as https://api.spotify.com/v1/me provides a 'Forbidden' response.


I have checked the authorization request, and notice the correct scopes are provided. The user is indeed redirected to a webview containing all these permissions. Upon accepting them, an access token is provided, as expected. The request URL is as follows:


Spotify Auth starting with the request [https://accounts.spotify.com/authorize?client_id=<HIDDEN>


However, when using the access token for any API request, the following message is returned:




I am unsure what I am doing wrong here. Using the provided token in other applications (such as Postman) provides the same result. When creating an access token through the online console (https://developer.spotify.com/console/), it does provide the expected results. So I am quite confident the calls are correct.


I should also mention I tested this with a different account a week ago, and it still seems to work using the exact same code (even when removing the app's permissions from the profile, or when trying it on a completely new device!). That account is also the one that registered the application on the online dashboard. It is only when I started testing this with other accounts that it started going wrong. I also tested this on devices which never had Spotify (or my app) installed before, so I do not think it is a caching issue. I am unsure if there are further differences... The account that works uses "Premium for family". The other accounts that don't work are using the "Premium for students" plan and a trial version. 


Expected result

The provided token should provide a correct response for these API calls.


Here is the relevant code for performing the request:




AuthorizationRequest.Builder builder = new AuthorizationRequest.Builder(CLIENT_ID, AuthorizationResponse.Type.TOKEN, getRedirectUri().toString()).setScopes(scopes);
AuthorizationRequest authRequest = builder.build();

loginButton.setOnClickListener((cl) -> AuthorizationClient.openLoginActivity(this, REQUEST_CODE, authRequest));

// ...
protected void onActivityResult(int requestCode, int resultCode, Intent intent) {
        super.onActivityResult(requestCode, resultCode, intent);

        // Check if result comes from the correct activity
        if (requestCode == REQUEST_CODE) {
            AuthorizationResponse response = AuthorizationClient.getResponse(resultCode, intent);

            switch (response.getType()) {
                // Response was successful and contains auth token
                case TOKEN:
                    // Handle successful response
                    Log.d("MainActivity", "Token received");
                    UserData ud = new UserData();




EDIT: formatting

3 Replies


Hi @Onon, sorry to hear about the trouble you're having here. What is your app's client ID?

Casual Listener

Hi Josh, thanks for your reply.


My client id is cd4e5a2ca570437fb10a9b6a732fd354


I've just tried to make a request with the broken account, in case that helps.


Hi, @Josh . I have the same issue, my client id is e7b20bcd68254856b46b62dd04c29501