I’ve been struggling for weeks now trying to integrate Spotify’s authentication system into my Jetpack Compose project. My goal is to create a proper authentication flow that uses PKCE authorization code flow to log users in. Once authenticated, I need to fetch the user’s current playing song data and their profile information. I’m looking to build a ViewModel that manages the entire auth process, including storing access tokens securely and automatically refreshing them when they expire. The state management part is also important since I want to track whether the user is logged in or not. Has anyone successfully implemented this before? Any step by step guidance would be amazing!
totally! the spotify docs r pretty clear. managing state is key - track everything carefully. make sure ur ViewModel deals with tokens right and u shud be good. good luck!
pkce isn’t scary once u get the hang of it. my biggest mistake? not testing the auth callback properly - wasted days figuring out why tokens weren’t returning. make sure your redirect URI matches exactly what’s in your spotify dashboard. trailing slashes matter. also, don’t forget internet permission in ur manifest.
Been there with OAuth flows countless times. Everyone’s talking about manual redirects and token storage, but you’re just rebuilding the wheel.
Skip the custom PKCE headache and automate everything. Set up a workflow that handles Spotify’s entire auth dance - token requests, refreshes, callback handling. Trigger it from your Android app and get clean responses back without the redirect URI mess.
You don’t need to store tokens securely on device or manage refresh logic. Your automation does the heavy lifting while your app just hits authenticated endpoints. When Spotify changes their API, you update one workflow instead of rebuilding your entire auth system.
I use this for every OAuth integration now. Way cleaner than cramming that logic into ViewModels and Activities.
Check out Latenode for this: https://latenode.com
I’m actually working on this exact thing right now. The PKCE flow itself wasn’t too bad, but getting state management right in Jetpack Compose was a pain. Set up your ViewModel to expose auth state through StateFlow and let it handle everything internally. For the flow, make sure you’re generating the code verifier and challenge correctly - use SHA256 for the challenge method. Custom scheme works great for redirects, just set launchMode to singleTask in your manifest for the callback activity. Pro tip: implement proper error handling upfront for when users deny permissions or network calls fail. Saved me hours of debugging. Run token refresh in a background coroutine and update your auth state from there. Clear stored tokens when refresh fails with a 400 response.
Just finished this last month after hitting the same issues. Auth flow works once you set it up right, but the real pain is managing token lifecycle in production. Use a sealed class in your ViewModel for auth states - unauthenticated, loading, authenticated, and error covers most cases. For PKCE, store the code verifier temporarily until callback finishes, then wipe it immediately. Biggest gotcha I hit: users backgrounding the app mid-auth breaks everything. Make your auth ViewModel lifecycle-aware to handle process death. Heads up - Spotify’s rate limiting is brutal during dev, so add exponential backoff for failed requests. User profile and currently playing need different scopes, so grab both upfront or you’ll end up doing auth twice.
I built this same flow 6 months ago and hit a bunch of gotchas. PKCE setup isn’t the hard part - it’s handling the redirect URI on Android that’ll trip you up. Register a custom URL scheme in your manifest and make sure your Activity handles the callback right. For storing tokens, skip SharedPreferences and use EncryptedSharedPreferences instead. The auto-refresh logic is where it gets tricky. Check token expiry before every API call and refresh early. Spotify’s access tokens die pretty fast, so you need solid refresh handling or you’re screwed. Oh, and handle users revoking permissions from Spotify’s end - that one bit me hard.