Authentication Methods
The Spotify plugin supports two authentication methods:oauth_2(default) — Authorization Code flow with refresh tokens (recommended for user data and playback)api_key— A single stored string used as a Bearer access token for the Spotify Web API (advanced: you supply and refresh the token yourself)
oauth_2.
OAuth 2.0 (Recommended)
Step 1: Create a Spotify App
- Open the Spotify Developer Dashboard.
- Log in and click Create app.
- Set the app name, description, and redirect URI placeholder as required.
Step 2: Configure Redirect URIs
- Open your app → Settings.
- Under Redirect URIs, add the exact callback URL Corsair uses after authorization (must match what you configure in your deployment).
- Save.
Step 3: Copy Client ID and Client Secret
- On the same Settings page, copy Client ID and Client Secret.
user-read-private, user-read-email, user-read-playback-state, user-modify-playback-state, user-read-currently-playing, user-read-recently-played, user-library-read, user-library-modify, user-follow-read, user-follow-modify, playlist-read-private, playlist-read-collaborative, playlist-modify-public, and playlist-modify-private. Remove any scopes you do not need when configuring your own OAuth app, if Spotify’s dashboard allows it.
API Key (Bearer Access Token)
If you setauthType: 'api_key', Corsair uses the stored value as the Bearer token for API requests. Spotify does not issue long-lived static API keys for the Web API; this mode is for cases where you obtain an access token (for example via the Client Credentials flow or a manual token for testing) and store it as api_key.
Storing credentials:
oauth_2 so Corsair can refresh tokens automatically.
Webhooks (Optional)
If you use Spotify webhooks that sign payloads, store the verification secret Corsair should use for your webhook endpoint.Required Credentials Summary
For general information about how Corsair handles authentication, see Authentication.