Mastering Google Business Profile for Local Business Websites
Paired with killer local business website design, Google Business Profile is your ticket to...
Spotify Breaking Changes: OAuth Login Updates You Need to Know
Spotify is tightening up security and that means a few older integration methods are being retired. Specifically, Spotify is removing support for the Implicit Grant Flow and unencrypted HTTP redirect URIs. These are being replaced with more secure, modern alternatives to keep users’ data safe and your integrations compliant.
What Does This Mean for You?
If your Spotify app uses the Implicit Grant Flow to get access tokens, your integration will soon stop working. If you want to keep the lights on and your users logging in, you’ll need to update your authentication method to continue making requests to Spotify’s API.
How to Check if You’re Affected
A quick way to find out:
Search your app’s code for:
response_type=token
If you see that line — you’re using the Implicit Grant Flow and will need to update.
What to Use Instead
Spotify recommends switching to the Authorization Code Flow, which uses:
response_type=code
This method adds an extra layer of security by exchanging authorization codes for tokens on your server, rather than in the browser.
Still With Us? Let’s Get Technical. How Do I Update?
You can read the full Spotify documentation and migration guide here.
While the guide is useful we found the code won’t work out of the box for many users.
1: Add new helper functions
function generateRandomString(length) {
const possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
const values = crypto.getRandomValues(new Uint8Array(length));
let output = '';
for (let i = 0; i < length; i++) {
output += possible[values[i] % possible.length];
}
return output;
}
async function sha256(plain) {
const encoder = new TextEncoder();
const data = encoder.encode(plain);
return await window.crypto.subtle.digest('SHA-256', data);
}
function base64encode(arrayBuffer) {
let bytes = new Uint8Array(arrayBuffer);
let binary = '';
for (let i = 0; i < bytes.byteLength; i++) { binary += String.fromCharCode(bytes[i]); } return btoa(binary) .replace(/\+/g, '-') .replace(/\//g, '_') .replace(/=+$/, ''); } var codeVerifier; var codeChallenge; var hashed; (async () => {
codeVerifier = generateRandomString(64);
hashed = await sha256(codeVerifier);
codeChallenge = base64encode(hashed);
})();
2: Update your authorization endpoint
return 'https://accounts.spotify.com/authorize?client_id=' + CLIENT_ID +
'&redirect_uri=' + encodeURIComponent(REDIRECT_URI) +
'&scope=' + encodeURIComponent(scopes.join(' ')) +
'&code_challenge_method=S256'+
'&code_challenge'+ CODE_CHALLENGE +
'&response_type=code';
3: Update how you handle the authorization code
const urlParams = new URLSearchParams(window.location.search);
let code = urlParams.get('code');
Previously this would be returning the access_token directly instead of ‘code’
4: Request your new access token
function getAccessToken(mycode){
var url = 'https://accounts.spotify.com/api/token';
var params = {
client_id: CLIENT_ID,
grant_type: 'authorization_code',
code: mycode,
redirect_uri: REDIRECT_URI,
code_verifier: CODE_VERIFIER
};
return jQuery.ajax({
url: url,
data: params,
headers:{
'Authorization': 'Basic ' + base64encode(CLIENT_ID +':'+ CLIENT_SECRET),
'Content-Type': 'application/x-www-form-urlencoded'
},
method: 'POST'
});
}
TL;DR
- What’s changing: Implicit Grant and HTTP redirect URIs are being deprecated.
- Why: Better security for users and developers.
- Action: Move to the Authorization Code Flow (response_type=code).
The deadline is November 27th 2025.
Get in touch if you need help updating your Spotify app – we’re expert digital activation experts and know the Spotify API inside out.
