Getting 403 while hitting https://api.spotify.com/...

Puja2 · 2025-02-10

Plan

Free/Premium

Country

Device

(iPhone 8, Samsung Galaxy 9, Macbook Pro late 2016)

Operating System

(iOS 10, Android Oreo, Windows 10,etc.)

My Question or Issue

Ximzend · 2025-02-10

Hi @Puja2

Thank you for posting in the Spotify Community, and Welcome!

To troubleshoot this problem:

Do you also get this error with other endpoints?
How did you get the access token?

Let me know these details so I can better understand the issue and help you find a solution. Looking forward to your response!

XimzendSpotify Star

Help others find this answer and click "Accept as Solution".

If you appreciate my answer, maybe give me a Like.

Note: I'm not a Spotify employee.

Puja2 · 2025-02-10

Hey,

Below is the code I used to get access token.
//Redirect to the spotify accounts for every new user and connect with spotify

public async redirectSpotify({ ally, params, response, session }: HttpContext) {

const userID = params.id

session.put('userId', userID);

const scopes = ['user-follow-read', 'user-library-read', 'streaming', 'user-read-email', 'user-top-read', 'user-read-private']

return ally

.use('spotify')

.redirect((request) => {

request.scopes(scopes)

})}
Getting the 403 for the below code:

let topArtistsResponse = await axios.get(

`https://api.spotify.com/v1/me/top/artists`,

{

headers: {

Authorization: `Bearer ${token}`,

},

}

)

getting 403 for the below api's which I tried:

https://api.spotify.com/v1/me/top/artists

https://api.spotify.com/v1/me/top/tracks
Even I checked the scope, looks like only scope: 'user-read-email' , being added.

Ximzend · 2025-02-11

Hi @Puja2 , I dug into this issue and wanted to share what I found.

The error indicates that the access token you’re using doesn’t have the required permissions. In my case, even though I was requesting additional scopes (such as "user-top-read"), the token returned only included the default scope (e.g. "user-read-email"). This usually happens because:

Cached Consent: If a user has previously logged in and granted a limited set of scopes, Spotify will continue to issue a token with those scopes unless you force a fresh reauthorization.
OAuth Flow Mismatch: Endpoints like /v1/me/top/artists require a user-specific token from the Authorization Code Flow rather than the Client Credentials Flow, which only provides access to public data.
Library/Configuration Nuances: Sometimes, OAuth libraries may not apply your custom scopes correctly if there’s an existing token or if the configuration isn’t set up exactly as Spotify expects.

Recommendations:
• Force Reauthorization: Modify your authorization URL (e.g., add show_dialog=true) so users are prompted to grant all requested scopes again.
• Verify Your Flow: Ensure you’re using the Authorization Code Flow to obtain a token that includes user-specific scopes like "user-top-read".
• Inspect Your Token: After reauthorization, decode your access token to confirm that it contains the necessary scopes.

Hope this helps clear things up! If you’re still having issues or have further questions, feel free to ask.
Cheers!

XimzendSpotify Star

Help others find this answer and click "Accept as Solution".

If you appreciate my answer, maybe give me a Like.

Note: I'm not a Spotify employee.

Help categories

Account & Payment

Using Spotify

Listen Everywhere