Getting invalid scope error with Spotify API authentication despite using correct permissions

Other Questions Spotify
1

I’m working on a personal project using Spotify’s Web API and running into a frustrating issue with authentication. Every time I try to authorize my app, I get an “invalid scope” error message. I’ve double checked all the permissions I’m requesting and they all seem to be valid according to the documentation.

I’ve tried recreating my app credentials multiple times but the same error keeps happening. Here’s my current setup:

const appSettings = {
  apiEndpoint: 'https://api.spotify.com/v1/',
  authConfig: {
    app_id: 'my_client_id_here',
    callback_url: `${baseUrl}/auth-return`,
    permissions: 'user-read-private user-top-read user-read-recently-played user-read-currently-playing playlist-modify-public playlist-modify-private playlist-read-collaborative user-read-play-history',
    force_approval: true,
  },
};

And here’s how I build the base URL:

const { protocol, host, port } = window.location;
const baseUrl = `${protocol}//${host}${port ? `:${port}` : ''}`;

const urlConfig = {
  protocol,
  host,
  port,
  baseUrl,
  spotifyAuth: 'https://accounts.spotify.com/authorize',
};

Has anyone else run into this problem? I’m not sure what else to try at this point.

2

looks like there’s a typo in your scope names. change user-read-play-history to user-read-playback-history - had the same problem last month and that’s what fixed it. also make sure your redirect uri matches exactly what’s in your spotify dashboard.

3

I hit this exact issue building my music analytics tool last year. The problem was how I formatted the scope parameter in the auth URL. Don’t pass it as a space-separated string directly - you need to URL encode it first. Use encodeURIComponent() on your permissions string before adding it to the auth URL. Also double-check your client ID is correct and hasn’t been regenerated recently. I wasted hours debugging once only to find I was using an old client ID that Spotify had automatically rotated. And make sure all those scopes are actually enabled for your app type in the Spotify dashboard.

4

I’ve dealt with Spotify auth headaches for years - it’s almost always parameter naming issues. Use scope instead of permissions in your auth request. Also, user-read-play-history isn’t a real scope. You want user-read-playback-state. If you’re testing locally, double-check your redirect URI matches exactly in the Spotify dashboard - including port numbers and trailing slashes. It’s super picky about exact matches.