Had the same issue building my Spotify integration last year. Your /dashboard endpoint probably doesn’t handle authentication properly. When you redirect after getting the token, Spring Security doesn’t know the user’s authenticated because you’re not creating a real session. You’ve got two options: store the access token in the session and configure Spring Security to recognize it, or create a custom authentication provider that validates the Spotify token. I stored mine in HttpSession and made a custom filter to check protected routes. Also check that your dashboard controller isn’t asking for different permissions than what you’re getting from Spotify OAuth. That 403 means your security config is rejecting the request even though Spotify already approved it.