Generate a cryptographically random code_verifier string (43-128 characters), then compute code_challenge as the base64url-encoded SHA-256 hash of the verifier.
Redirect the user to https://accounts.spotify.com/authorize with response_type=code, client_id, redirect_uri, scope (at minimum playlist-modify-public or playlist-modify-private), code_challenge, and code_challenge_method=S256.
After the user authorizes, exchange the returned code for tokens via POST https://accounts.spotify.com/api/token with grant_type=authorization_code, code, redirect_uri, client_id, and code_verifier (no client secret needed for PKCE).
Create a playlist by POSTing to https://api.spotify.com/v1/users/{user_id}/playlists with Authorization: Bearer {access_token}, Content-Type: application/json, and a body containing name, public (boolean), and description.
Add tracks to the playlist by POSTing to https://api.spotify.com/v1/playlists/{playlist_id}/tracks with a JSON body containing an array of Spotify URIs (e.g., spotify:track:{id}).
Refresh the access token before it expires (typically 1 hour) using the refresh_token via POST to the token endpoint with grant_type=refresh_token.
Known gotchas
PKCE does not eliminate the need to register a redirect URI in the Spotify Developer Dashboard; an unregistered redirect URI causes an immediate error regardless of other correct parameters.
Creating a playlist via the API always succeeds even if the user has reached Spotify's playlist limit, but the playlist may not appear in the UI; the limit is high but not documented as infinite.
The user_id used in the playlist creation endpoint must match the authenticated user's Spotify user ID — you cannot create playlists on behalf of other users with user-level tokens.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp