I'm adding Spotify to my Android app but cannot understand the processes for retrieving an access token to make endpoint calls as well as refreshing that token once it has expired. If someone could provide some clarity for how to interact with the auth endpoints, that would be really helpful.
I have been following the Authorization Guide page among other pages in the documentation, and have set up the endpoints in Postman, but am unable to get them to work as expected.
- First, I need to fetch an access token after the user signs in.
What is the correct endpoint to use for this? I am able to use the AuthorizationClient.openLoginActivity call that is used to authenticate the user with my app. If the user hasn't allowed the app to access their Spotify before, this call shows the Spotify prompt to them and then returns a token in the onActivityResult method of the calling activity. However, I feel like I'm not supposed to use that to get the initial token every time.
I am able to call https://accounts.spotify.com/api/token with grant_type='client_credentials' and my clientId and clientSecret values as params, and it comes back with the access token String, token type as "Bearer", and expires value of 3600. This seems like the correct endpoint and result, but when I use that bearer token in my Postman calls (/me/tracks or /me/playlists for example), I get a 401 Unauthorized or a 403 Forbidden.
Only by going back into the app and launching the AuthorizationClient.openLoginActivity am I able to get a valid access token which works with those calls in Postman.
- Second, once I have a valid access token, how do I refresh it when it is expired?
I don't see anything about refreshing tokens in the Android documentation, only the part about using AuthorizationClient.openLoginActivity to approve the app. In the Web API documentation however, I see instructions to call https://accounts.spotify.com/api/token with grant_type ='refresh_token' along with a refresh token, clientId and clientSecret. I'm not sure if that is relevant to Android or only for Web. If it's the right endpoint for Android as well, where does the refresh_token value come from? The response from the AuthorizationClient activity only has an access token, no refresh token.
I have been reading through all the documentation pages on the Spotify Developer site, but am still not sure if the Web APIs apply to Android as well or not. I cannot figure out how I'm supposed to interact with the auth service to obtain and maintain a valid access token through the life of my app. Any help would be hugely appreciated.