According to the authorization code flow documentation, in order to use a refresh token to receive a new access token we need to POST a request to https://accounts.spotify.com/api/token with the following fields in the x-www-form-urlencoded body:
And send an HTTP basic authorization header with the base64 "client_id:client_secret" value. That all translate into something like:
curl https://accounts.spotify.com/api/token \
-d 'grant_type=refresh_token' \
-d 'refresh_token=...' \
-H "Authorization: Basic $(echo -n "$client_id:$client_secret"|base64 -w0)"
..but this doesn't appear to work. Following the suggestion of some random person on github, I am able to successfully request a new access token if I get rid of the authorization header and include in the request body:
- grant_type
- refresh_token
- client_id
- client_secret
That is:
curl https://accounts.spotify.com/api/token \
-d 'grant_type=refresh_token' \
-d 'refresh_token=...' \
-d "client_id=$client_id" \
-d "client_secret=$client_secret"
Is the documentation incorrect? Am I just lucky that the second form of the request works, even though it's not documented? Thanks!