I’m having trouble with Spotify Web API authentication and keep getting an “invalid client secret” error message. I’m trying to exchange my authorization code for an access token but something is going wrong.
I thought for OAuth2 authorization code flow you don’t need to include the client secret in the request body, but apparently I’m missing something. I know exposing client secrets publicly is bad practice, so I’m confused about the proper way to handle this. What am I doing wrong with my token exchange request?
yeah, u need the authorization header. spotify wants the client secret as a base64-encoded string in the header: Authorization: Basic <encoded_credentials>. don’t include it in the body. also, make sure u copied the client secret exactly from the dashboard - even small typos can mess things up.
You’re missing the Authorization header with your client credentials. Spotify’s API needs both client_id and client_secret for token exchange, but don’t put the client_secret in the request body - it goes in HTTP Basic auth instead. Encode your client_id:client_secret in base64 and stick it in the Authorization header: bash curl -X POST \ -H "Authorization: Basic <base64_encoded_client_id:client_secret>" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=authorization_code" \ -d "code=your_authorization_code" \ -d "redirect_uri=http://localhost:8080/callback" \ https://accounts.spotify.com/api/token That’s just how OAuth2 works - your client credentials authenticate the app during token exchange. Double-check you’re using the right client_secret from your Spotify app dashboard.
You’re only sending the client_id without proper authentication. To resolve this, manually create the base64 string by combining your client_id and client_secret with a colon (“client_id:client_secret”), and then encode the entire string to base64. I faced this issue when I first used Spotify’s API and was confused about where to place the credentials. Remember, the client_secret should go in the Authorization header, not in the request body. Also, keep this server-side only; exposing these credentials in frontend JavaScript can compromise your security.