hi, thanks for a thorough answer.

1. weirdly, sometimes it DOES work even when I'm authenticated (providing full quality playback, ability to add to my playlist etc.). Why can that be? For me it suggests that the embed is actually supposed to work in this case and we are dealing with a bug or a misconfiguration on my end.

2. In general, I'd be fine with only providing preview. But how can I enforce that? For now, if a visitor happens to be an authenticated spotify user, my embed doesn't work (at least part of the time) because of content security policy?

Thanks,

For the first question about why it sometimes works when authenticated - this is likely because Spotify's authentication flow can behave inconsistently in embedded contexts. When it works while authenticated, it might be because:

The authentication token is being handled differently in certain browser sessions
Spotify might have different CSP implementations across their various subdomains
Your particular embed configuration might occasionally satisfy the security requirements

Regarding the second question about enforcing preview mode only, you have a few options:

Use the explicit preview embed URL format that Spotify provides, which looks like:
https://open.spotify.com/embed/track/ID?utm_source=generator&theme=0&preview=true
The key parameter here is preview=true which should force the preview mode.

Add parameters to disable authentication features:
https://open.spotify.com/embed/track/ID?utm_source=generator&theme=0&view=coverart
The view=coverart parameter tends to simplify the embed and reduce authentication needs.

Consider using the Spotify Web API directly instead of iframes if you need more control over the behavior, though this requires more development work.

tried "preview=true" - no any effect. It does not affect the behaviour of the embed. 

Is there any documentation for this query parameters for embeds? Can you give a link?

Ok it was an AI hallucination, I guess. Does anyone have any other ideas? Would really appreciate it.