I'm looking at creating a mod for a game which will allow users to control their local desktop Spotify app (as in the official one by spotify) using controls inside the game (note that I will not be streaming the audio into the game itself).
In order to authenticate the user I can't use an ingame way to display the login page because there's not really any feasible way to display a working secure web browser within the game. So my plan is to create an install script that authenticates the user using the Authorization Code Flow method which will be able to spawn a browser and perform the authentication.
I have a few issues that I wanted to clarify because I don't want to break ToS if I can avoid it so any clarification would be appreciated:
1) Since this will be client side code releasing the code with my API secret token for my app would be a bad idea since anyone could just grab it and do whatever with it. And implicit flow doesn't really work because the user would have to keep jumping out of the game (which is in VR by the way) to re authenticate constantly. Would it be permissible to have users create a developer account with spotify and generate their own API token with which the app will communicate with the API?
2) Is there a recommended way for me to store the users' tokens on disk in a secure way that's accessible by the install script for writing and the mod's code itself?
3) Under ToS IV.3.c...
Unless you receive Spotify’s written approval, you shall not use the Spotify Platform to incorporate Spotify Content into any game functionality (including trivia quizzes).
Would my use case violate the terms of service, even though I am not using Spotify's content in any "gamified" way and simple using it as a media player (and not even that, just as a control widget for an actual Spotify client the user would be using anyway)? If not, is there a way to obtain written approval for this usecase from Spotify?