Thanks for advice but I still getting 403,"message" : "Forbidden." even after I generated access tokens from "code flow"
Here is my walkthrough Authorization Code Flow scheme in python :

so for running I use 3 python files:
spo.py
refresh.py
access.py
Go to dir where spo.py file is located and run this in linux console:
uvicorn spo:app --host 0.0.0.0 --port 8000 2>&1 | tee -a uvicorn_access.log
then open in browser http://localhost:8000 complete autorisation wih your log&pass and then click on Authorize link
after that run once in console:
python3 refresh.py
and finally
python3 access.py
access_tokenS will be in accessT.txt
it have rights permissions as I can see

after that I'm trying some API requests:
add-tracks-to-playlist : (WORKING)
curl -X POST 'https://api.spotify.com/v1/playlists/*****/tracks?uris=spotify%3Atrack%3A7hkYSZ1Ry7OeBGrTzLhg0c' -H "Authorization: Bearer $(tail -n 1 /PATH/accessT.txt)"
save-tracks-user : (NOT WORKING)
curl --request PUT 'https://api.spotify.com/v1/me/tracks?ids=7hkYSZ1Ry7OeBGrTzLhg0c' --header "Authorization: Bearer $(tail -n 1 /PATH/accessT.txt)"
getting 403,"message" : "Forbidden.
If I intentionally corrupt the token, it says the token is invalid
So could it be related to my free plan or not?
also I'm tryed access tokens*1 and *2 with same result it can see on my scheme upper
can anybody help me?
here is my source code files:
spo.py
from fastapi import FastAPI
from fastapi.responses import HTMLResponse
import requests
import uvicorn
client_id = "99493f576c2d43018***************"
client_secret = "8debd3e6994b4***************"
redirect_uri = "http://localhost:8000"
app = FastAPI()
def get_access_token(auth_code: str):
response = requests.post(
"https://accounts.spotify.com/api/token",
data={
"grant_type": "authorization_code",
"code": auth_code,
"redirect_uri": redirect_uri,
},
auth=(client_id, client_secret),
)
access_token = response.json()["access_token"]
return {"Authorization": "Bearer "**bleep**("/")
async def auth():
scope = ["playlist-modify-private", "playlist-modify-public"]
auth_url = f"https://accounts.spotify.com/authorize?response_type=code&client_id={client_id}&redirect_uri={redirect_uri}&scope={' '.join(scope)}"
return HTMLResponse(content=f'<a href="{auth_url}">Authorize</a>')
refresh.py
import re
import requests
import base64
import json
client_id = "99493f576c2d430******"
client_secret = "8debd3e6994******"
redirect_uri = "http://localhost:8000"
token_url = "https://accounts.spotify.com/api/token"
with open("/PATH/uvicorn_access.log", "r") as log_file:
lines = log_file.read().splitlines()
last_line = lines[-1]
code_match = re.search(r'code=([^&\s"]+)', last_line)
if code_match:
code = code_match.group(1)
else:
print("Code not found in the last line.")
data = {
"code": code,
"redirect_uri": redirect_uri,
"grant_type": "authorization_code"
}
encoded = base64.b64encode((client_id + ":" + client_secret).encode("ascii")).decode("ascii")
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Basic " + encoded
}
response = requests.post(token_url, data=data, headers=headers)
if response.status_code == 200:
response_data = response.json()
print("Full JSON Response:")
print(json.dumps(response_data, indent=4))
refresh_token = response_data["refresh_token"]
access_token = response_data["access_token"]
with open("/PATH/uvicorn_access.log", "a") as log_file:
log_file.write(f"refresh_token: {refresh_token}\n")
with open("/PATH/accessT.txt", "a") as log_file:
log_file.write(f"{access_token}\n")
else:
print(f"Error: {response.status_code}, {response.text}")
access.py
import re
import requests
import base64
import json
client_id = "99493f576c2d43***********"
client_secret = "8debd3e699***********"
token_url = "https://accounts.spotify.com/api/token"
with open("/PATH/uvicorn_access.log", "r") as log_file:
lines = log_file.read().splitlines()
last_line = lines[-1]
token_match = re.search(r'refresh_token: ([^\s]+)', last_line)
if token_match:
refresh_token = token_match.group(1)
else:
print("Refresh Token not found in the last line.")
data = {
"grant_type": "refresh_token",
"refresh_token": refresh_token,
}
encoded = base64.b64encode((client_id + ":" + client_secret).encode("ascii")).decode("ascii")
headers = {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Basic " + encoded
}
response = requests.post(token_url, data=data, headers=headers)
if response.status_code == 200:
response_data = response.json()
print("Full JSON Response:")
print(json.dumps(response_data, indent=4))
access_token = response_data["access_token"]
with open("/PATH/accessT.txt", "a") as log_file:
log_file.write(f"{access_token}\n")
else:
print(f"Error: {response.status_code}, {response.text}")