Generate a cryptographically random code_verifier string (43–128 characters) and derive the code_challenge by hashing the verifier with SHA-256 and encoding the result as Base64 URL-safe without padding.
Redirect the user to the Spotify Accounts authorization endpoint with query parameters: client_id, response_type=code, redirect_uri, scope, state (a random value for CSRF protection), code_challenge, and code_challenge_method=S256.
After the user approves, Spotify redirects to your redirect_uri with a code parameter; verify the state value matches what you sent.
Exchange the authorization code for tokens by POSTing to the token endpoint with grant_type=authorization_code, code, redirect_uri, client_id, and code_verifier.
Store the returned access_token and refresh_token securely; use the refresh_token to obtain new access tokens without re-prompting the user.
Known gotchas
The code_verifier must be kept secret on the client and never sent until the token exchange step; the code_challenge is the only value sent during authorization.
PKCE does not require a client_secret, making it safe for public clients (mobile apps, SPAs); do not include the secret in client-side code.
The authorization code is single-use and short-lived; do not cache or reuse it.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp