Josh Brown

Apps that make requests to the Spotify Web API rely on OAuth 2.0: a system that helps users authorize third-apps to access Spotify data. Since 2014, Spotify has supported three OAuth flows: the implicit grant flow, the authorization code flow, and the client credentials flow. Today, we are excited to announce that Spotify is offering support for the Proof Key for Code Exchange (PKCE) extension to the OAuth 2.0 authorization code flow. PKCE makes it easier for developers to build mobile and desktop apps that require permission from Spotify users.

In 2015, the Internet Engineering Task Force (IETF) published an RFC that described a new technique for native app authentication called Proof Key For Code Exchange. PKCE — pronounced "pixy" — is similar to the classic OAuth 2.0 authorization code flow with a few changes. Before beginning the authentication process, an app using PKCE will generate a code challenge and a code verifier. The code challenge — a hash of the code verifier — is passed to the authorization server when a user begins the OAuth flow. Later, when requesting an access token, the app sends the code verifier to the authorization provider. This technique allows third-party apps to securely fetch a refreshable access token without a client secret, and it helps to mitigate some security problems that can affect mobile apps using other OAuth flows.

Spotify's PKCE implementation is based closely on the IETF RFC. This means that you can use an existing OAuth 2.0 client library with support for the PKCE extension — like the OpenID AppAuth libraries for iOS or Android — to build your app. If you prefer to write your own PKCE client implementation then you can read Spotify's updated authorization guide for full details.

We're excited to see what developers will use the new PKCE functionality to build. Have questions about OAuth? Join us in the Spotify developer community forums and let us know what you're working on. Happy coding!