Skip to main content

Auth with Postman

This guide walks you through the Authorization Code Flow to obtain and use access tokens for the Spotify Web API, even without a running server. Use Postman to test the process and resolve common issues like the "response_type must be code or token" error.

Step-by-Step Fix in Postman

Follow these steps to configure your Spotify app, capture an authorization code, exchange it for an access token, and call the albums endpoint.

Step 1: Verify Spotify App Configuration

Ensure your Spotify application is correctly set up with the redirect URI.

  1. Go to the Spotify Developer Dashboard.
  2. Select your app and click Edit Settings.
  3. Under Redirect URIs, add http://127.0.0.1:8000/callback:
    • Use exactly http://127.0.0.1:8000/callback (no trailing slashes, use 127.0.0.1 instead of localhost).
    • Save the changes.
  4. Note your Client ID and Client Secret for later use.

Step 2: Construct and Test the Authorization URL

Fix the "response_type must be code or token" error by building a correct authorization URL.

  1. Construct the authorization URL with these parameters:

    • client_id: Your Client ID.
    • response_type: code (for Authorization Code Flow).
    • redirect_uri: http://127.0.0.1:8000/callback (URL-encoded).
    • scope: user-library-read.
    • state: A random string (e.g., 12345) for security.
    • Example: 
      https://accounts.spotify.com/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2Fcallback&scope=user-library-read&state=12345

  2. Test the URL:

    • Paste the URL into a browser (e.g., Chrome).
    • Log in to Spotify and authorize the app.
    • The browser will redirect to http://127.0.0.1:8000/callback?code=AUTHORIZATION_CODE&state=12345.
    • You may see "site can't be reached" (expected without a server), but copy the AUTHORIZATION_CODE (e.g., AQBB8bO8QPJGLGrUDOQTqbwJzMs078o08AI5g9vcvcqw4dCFmlHJc7t9YBzvfSDIlMYAOklahY3KvvyWvBcgIDVegmtm-Cq227TWTjQPnsZ0HbDO58jMqTqubBVrEukKGJAipcpDyddnJIxrvJnQQaT6j7-IGU5p7ZvTpaZNCC-hGppkXeqjd4vtmcj2W1mQQyf2S-M).

  3. Troubleshoot the Error:

    • If you see "response_type must be code or token":
      • Ensure response_type=code is exact (no typos, case-sensitive).
      • Verify no extra spaces or characters in the URL.
      • Confirm you're using /authorize, not /api/token.

Step 3: Exchange Authorization Code for Access Token

Use this cURL command to exchange the authorization code for an access token.

    curl --request POST \
    --url 'https://accounts.spotify.com/api/token' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data 'grant_type=authorization_code&code=AQBB8bO8QPJGLGrUDOQTqbwJzMs078o08AI5g9vcvcqw4dCFmlHJc7t9YBzvfSDIlMYAOklahY3KvvyWvBcgIDVegmtm-Cq227TWTjQPnsZ0HbDO58jMqTqubBVrEukKGJAipcpDyddnJIxrvJnQQaT6j7-IGU5p7ZvTpaZNCC-hGppkXeqjd4vtmcj2W1mQQyf2S-M&redirect_uri=http://127.0.0.1:8000/callback&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET'