[Notice] open.spotify.com/get_access_token No longer works

[yodaluca23]

Look for similar bugs

Please check if there's already an issue for your problem.
If you've only a "me too" comment to make, consider if a 👍 reaction
will suffice.

Description

A clear and concise description of what the problem is.
I don't know what Spotify changed but open.spotify.com/get_access_token no longer gives an accessToken, giving the error

{
  "error": {
    "code": 400,
    "message": "Invalid TOTP"
  }
}

Version

What version(s) of librespot does this problem exist in?
All

How to reproduce

Steps to reproduce the behavior in librespot e.g.

1. Navigate to open.spotify.com/get_access_token as described by https://github.com/librespot-org/librespot/wiki/Options#access-token
2. View error.

Log

Error Spotify gives:

{
  "error": {
    "code": 400,
    "message": "Invalid TOTP"
  }
}

Host (what you are running librespot on):

NA

Additional context

This really sucks for a lot of small OSS projects that depend on this for getting anonymous tokens aswell...

[kingosticks]

That does suck. It was very useful for those projects that got screwed over by the recent API changes. Let's see if we can circumvent this check. It's always going to be cat and mouse with these guys.

[michaelherger]

I don't use this feature. But the error message "Invalid TOTP" makes me wonder whether it's failing for you because you were using MFA, and whether it was simply an auth failure lack of a "time based one time password" (TOTP)?

[kingosticks]

No, they've changed something on their end to prevent public access. It was previously a super easy way to get an access token with lots (full?) permissions. It only required you have a couple of browser cookies set (done for you when you login to Spotify.com). It was particularly useful since that included access to all the recently deprecated endpoints. They've now closed that loophole as part of their ongoing effort to lose as many customers as possible.

I assume this endpoint is being used by their developer console, worth having a look there to see if we can undo this new protection.

[Wikijito7]

This error also happened at Spotube, a custom Spotify player, and they found a solution.

It seems Spotify changed how the token thingy works. Now, it is required to have a new request to get the final access token. From the current request, you have to create a totp with a timestamp given by Spotify and request this access_token to then use it on the new clienttoken api request.

See:

• generateTotp from Spotube: https://github.com/KRTirtho/spotube/blob/59f298a935c87077a6abd50656f8a4ead44bd979/lib/provider/authentication/authentication.dart#L135
• generate credentials cookie: https://github.com/KRTirtho/spotube/blob/59f298a935c87077a6abd50656f8a4ead44bd979/lib/provider/authentication/authentication.dart#L184

Something similar like this would need to be implemented here in order to make Spotify integration work again.

[kingosticks]

Great! For the record, this is just one way to get an access token. We list 2 others on our wiki

[yodaluca23]

As others have noticed in the related issues on other projects, Spotify is changing this a lot, when I first made this issue, it returned the error in my original post. Then SpotAPI cracked the TOTP:

Aran404/SpotAPI@9061bdd

And we were able to get in and it gave this:

{
  "clientId": "CLIENTID",
  "accessToken": "ACCESSTOKEN",
  "accessTokenExpirationTimestampMs": TIMESTAMP,
  "isAnonymous": true,
  "totpValidity": -1,
  "_notes": "Usage of this endpoint is not permitted under the Spotify Developer Terms and Developer Policy, and applicable law"
}

Then a few hours after that commit they openned it up completely and with nothing needed, no params, just like originally it would give this:

{
  "clientId": "CLIENTID",
  "accessToken": "ACCESSTOKEN",
  "accessTokenExpirationTimestampMs": TIMESTAMP,
  "isAnonymous": true,
  "totpValidity": false,
  "_notes": "Usage of this endpoint is not permitted under the Spotify Developer Terms and Developer Policy, and applicable law"
}

Though in my testing Python Requests didn't work code 429? Idk why but http.client worked.

Now it looks like they've changed it once again, opening it with no params returns:

{
  "error": {
    "code": 400,
    "message": "Unauthorized request",
    "extra": {
      "_notes": "Usage of this endpoint is not permitted under the Spotify Developer Terms and Developer Policy, and applicable law"
    }
  }
}

While SpotAPIs workaround still works the same, just wanted to document this here, it's very interesting to see what Spotify will decide on.

[roderickvd]

Welp, that note is something to take seriously.

[yodaluca23]

Also, sometime between all that, (I'm assuming this is related, at least evidence of Spotify changing stuff) Spotify added TOTP login even for non MFA accounts on the web player, if you try logging in now, it'll send a code to your email, to login. It still gives a password login option though.

[speedx77]

Thank god for y'all. Needed this badly to fix user search functionality in my app that became broke by their changes :)

[greffgreff]

Great! For the record, this is just one way to get an access token. We list 2 others on our wiki

Is there a link for it?

[kingosticks]

If you can't find it: https://github.com/librespot-org/librespot/wiki/Options#access-token

[sam9116]

looks like Spotify switched over to HMAC-based One-Time Password for authentication in their latest web player

there is no point retrieving server time anymore

[aviwad]

@sam9116 I do not know how cryptography works. Does this mean we should hold any hope in being able to work around Spotify's new login process? Or should we give up? I really appreciate you checking into how their web player works, they broke my app and I'm in desperate need of a fix :-)

[sam9116]

@sam9116 I do not know how cryptography works. Does this mean we should hold any hope in being able to work around Spotify's new login process? Or should we give up? I really appreciate you checking into how their web player works, they broke my app and I'm in desperate need of a fix :-)

as far as I can see, the secrets are still being generated the same way. but you will need to implement a persistent counter that keeps track of how many times the OTP have been requested, since Spotify will keep track of that on their server, if the two numbers doesn't match => OTP incorrect => no token

I'm not sure how sTime and cTime are generated or why they are needed as part of the token request, will have to do more testing around that

[sam9116]

interesting, it looks like the counter is actually implemented on the client side

[Thereallo1026]

This has definitely reached the point this is distracting and altogether unwelcome noise. Please take all of this somewhere else.

@roderickvd @photovoltex can we close and lock this one, it's gotten way off subject.

@kingosticks You're absolutely right, my apologies. This has derailed completely from the actual engineering challenge.
I'm done with the back and forth. I shouldn't have gotten drawn into a debate about theoretical computer science concepts on a reverse-engineering thread.
I'll stick to the librespot related technicals from now on. Appreciate your work on the project.

[kingosticks]

Thanks. I still think it's worth taking the ideas and facts here somewhere else. Github issues are really hard to navigate, especially when they get too long and older stuff gets hidden behind a load button.

[infinity0]

For debugging newbies that would like to contribute, I draw attention to my last comment before the derailing, which will work as a manual method regardless of any additional future obfuscation.

If they change algorithm away from TOTP, you can get relevant starting strings to search for, by setting XHR breakpoints for any network requests that seem like they are grabbing an access token.

[staniel359]

ok still works for v12 I wanna see how long my automation will work for

{
'10': {
raw: '=n:b#OuEfH\fE])e*K',
unit8: Uint8Array(18) [
61, 110, 58, 98, 35, 79,
117, 69, 102, 72, 92, 102,
69, 93, 41, 101, 42, 75
],
xor: '521004911046651228511990791148075621255181',
ascii: '535049484852574949485254545349505056534949575748555749495256485553545049505353495649'
},
'11': {
raw: 'o-(I_J#Uik<n7HEFrS?X[',
unit8: Uint8Array(21) [
111, 45, 40, 73, 95, 74, 35,
85, 105, 107, 60, 110, 55, 72,
69, 70, 114, 83, 63, 88, 91
],
xor: '10239356982684469120121471223494829410773366870',
ascii: '4948505157515354575650545652525457495048495049525549505051525752565057524948555551515454565548'
},
'12': {
raw: 'kQ19C]WQEC(]02.[^q)lMk"',
unit8: Uint8Array(23) [
107, 81, 49, 57, 67, 93, 87,
81, 69, 67, 40, 93, 48, 50,
46, 91, 94, 113, 41, 108, 77,
107, 34
],
xor: '9891585378838865848159733736576771107501128011761',
ascii: '57565749535653515556565156565453565256495357555151555154535554555549494855534849495056484949555449'
}
}

@DiamondRoPlayz Yeah, but what's the code for retrieving this?

[infinity0]

Thanks. I still think it's worth taking the ideas and facts here somewhere else. Github issues are really hard to navigate, especially then they get too long and older stuff gets hidden behind a load button.

Added https://github.com/librespot-org/librespot/wiki/Reverse-engineering

@DiamondRoPlayz Yeah, but what's the code for retrieving this?

I'm not holding my breath. Best bet is for as many people as possible to learn the reverse-engineering method.

[misiektoja]

@Thereallo1026 Yes from just /(\];const \w{2}=)(\w{2};)/g still where I insert global variable and the site only requires to run those 3 web-player scripts for it to run the main one so all other network requests can be blocked in puppeteer to optimize it 😭

But you really don't need to regex-grep the source (it's brittle and will break whenever Spotify tweaks their source code). It's actually much simpler: inject a runtime hook that captures every .secret assignment as the code executes. If you dump all of the objects with hooks in place, you'll see the secrets pop out already reconstructed, for example:

    "obj": {
      "secret": "kQ19C]WQEC(]02.[^q)lMk\"",
      "version": 12
    }

I wrote a Python script that does all the secrets extraction at runtime in the browser (via Playwright) - no source parsing required. The trick is to add a tiny setter before any Spotify code runs, so every obj.secret = call automatically fires your hook and records the value and version.

PoC: spotify_monitor_secret_grabber.py, more info in the Debugging Tools section of the spotify_monitor project.

Install playwright and run:

pip install playwright
playwright install

python3 spotify_monitor_secret_grabber.py

You'll get:

[sam9116]

I just want to say a huge thank you for everyone involved in cracking spotify's auth process, you guys are giving those overpaid engineers a run for their money

[Thereallo1026]

@misiektoja Amazing work, I wanted to confirm that your runtime hook method works perfectly!

It's a much more robust approach than parsing the source with regex. I was able to build on your idea and create a fully automated solution using GitHub Actions and JS to scrape the secrets on a schedule.

I've open-sourced it here for anyone interested: https://github.com/Thereallo1026/spotify-secrets

[Thereallo1026]

@misiektoja Amazing work, I wanted to confirm that your runtime hook method works perfectly!

It's a much more robust approach than parsing the source with regex. I was able to build on your idea and create a fully automated solution using GitHub Actions and JS to scrape the secrets on a schedule.

I've open-sourced it here for anyone interested: https://github.com/Thereallo1026/spotify-secrets

To anyone who is using the JSON files in my repo, I have pushed an update that changes the format of secretBytes.json. It now uses a unified format with secrets.json.

interface SpotifySecrets {
	secret: string | number[];
	version: number;
}
[];

[manhgdev]

Well, when I was looking for materials to learn how to reverse engineer source code to find secrets but didn't know where to learn

[infinity0]

@manhgdev Have a look at https://github.com/librespot-org/librespot/wiki/Reverse-engineering - practice on the current version until you can do it within 2-3 minutes, then you can do it again after the intern changes the object key from "secret" to "s3kr1t".

[EduardLupu]

now this topic was a great read, thanks everybody! please, never close this!

[roderickvd]

Probably should turn it into a discussion?

[aviwad]

Hey all. I've noticed that authenticating with the web player spdc token blocks me from using the official spotify web api calls.
I'm not allowed to use their search tracks call, nor can I use the call to check if a track is in the user's library. Any way around this limitation? I wouldn't want the user to authenticate twice

[aviwad]

Or I wonder if every public Web API call has an associated private call that I should use, since i'm using the private token.

[aviwad]

Annnddd they changed how things work
{"totpVerExpired":"error","totpValidUntil":"2025-09-10T09:00:00.000Z","error":{"code":400,"message":"Unauthorized request","extra":{"_notes":"Usage of this endpoint is not permitted under the Spotify Developer Terms and Developer Policy, and applicable law"}}}

It's before the TOTP validity date, so I imagine they switched something up in their process. Damn.

[Semmu]

Honestly, Spotify is working really hard to deter paying customers from their own platform... I'm getting really fed up with the new restrictions and regressions introduced in these last 2-3 years.

[Thereallo1026]

Still working fine for me here, maybe double check your TOTP generation settings

async function generateTotp(secrets: SpotifySecret): Promise<string> {
	const secretSauce = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";

	const secretArray = secrets.secret
		.toString()
		.split("")
		.map((char) => char.charCodeAt(0));
	const secretCipherBytes = secretArray.map((e, t) => e ^ ((t % 33) + 9));

	const secretBytes = cleanBuffer(
		new TextEncoder()
			.encode(secretCipherBytes.join(""))
			.reduce((acc, val) => acc + val.toString(16).padStart(2, "0"), ""),
	);

	const secret = base32FromBytes(secretBytes, secretSauce);

	return TOTP.generate(secret).otp;
}