starred/spotify-lyrics-api
1
0
Fork 0
mirror of https://github.com/akashrchandran/spotify-lyrics-api.git synced 2026-04-27 10:05:53 +03:00
Code Issues 6 Projects Releases 9 Packages Wiki Activity

[GH-ISSUE #61] Move away from cookies for authentication #126

New issue
Closed
opened 2026-03-13 21:16:14 +03:00 by kerem · 3 comments
kerem commented 2026-03-13 21:16:14 +03:00
Owner
Copy link

Originally created by @adhamali450 on GitHub (Feb 5, 2026).
Original GitHub issue: https://github.com/akashrchandran/spotify-lyrics-api/issues/61

Amazing project btw 👏

One concern though: for something that’s meant to be hosted on a server and run 24/7, relying on a browser session cookie like sp_dc feels a bit fragile. Since it can expire or get invalidated at any time, it’s hard to guarantee long-term stability.

Using OAuth tokens (or a similar official auth flow) that can be refreshed automatically would make this much more reliable and production-friendly.

If this is feasible but just hasn’t been tackled yet, I’d be happy to help contribute. I don’t write PHP much, but I’m definitely open to working on this together if that helps move things forward.

Originally created by @adhamali450 on GitHub (Feb 5, 2026). Original GitHub issue: https://github.com/akashrchandran/spotify-lyrics-api/issues/61 ### Amazing project btw 👏 One concern though: for something that’s meant to be hosted on a server and run 24/7, relying on a browser session cookie like `sp_dc` feels a bit fragile. Since it can expire or get invalidated at any time, it’s hard to guarantee long-term stability. Using OAuth tokens (or a similar official auth flow) that can be refreshed automatically would make this much more reliable and production-friendly. If this _is_ feasible but just hasn’t been tackled yet, I’d be happy to help contribute. I don’t write PHP much, but I’m definitely open to working on this together if that helps move things forward.
kerem closed this issue 2026-03-13 21:16:19 +03:00
kerem commented 2026-03-13 21:16:25 +03:00
Author
Owner
Copy link

@adhamali450 commented on GitHub (Feb 5, 2026):

I have a project where I already get the lyrics from Genius (unofficially). The reason why this is far more interesting to me is that you get synced lyrics.
I need timestamps to sync the lyric bar with the bar from the recording.

<!-- gh-comment-id:3850930632 --> @adhamali450 commented on GitHub (Feb 5, 2026): I have a project where I already get the lyrics from Genius (unofficially). The reason why this is far more interesting to me is that you get synced lyrics. I need timestamps to sync the lyric bar with the bar from the recording.
kerem commented 2026-03-13 21:16:30 +03:00
Author
Owner
Copy link

@akashrchandran commented on GitHub (Feb 6, 2026):

The APIs used here are private Spotify web APIs, not the public ones that support official OAuth authorization flows.

These endpoints only work with a logged-in Spotify web session. Using the normal authorization flows would require automating Spotify’s login process, which is protected by CAPTCHA and other anti-bot checks, so it’s not realistically solvable.

Instead, this project uses session cookies from a real login. The cookies:

  • Give access to the required auth token
  • Are long-lived (often ~1 year)
  • Allow refreshing the token without re-logging in

Because of this, cookie-based auth is currently the only practical approach for accessing these endpoints.

<!-- gh-comment-id:3861954672 --> @akashrchandran commented on GitHub (Feb 6, 2026): The APIs used here are private Spotify web APIs, not the public ones that support official OAuth authorization flows. These endpoints only work with a logged-in Spotify web session. Using the normal authorization flows would require automating Spotify’s login process, which is protected by CAPTCHA and other anti-bot checks, so it’s not realistically solvable. Instead, this project uses session cookies from a real login. The cookies: - Give access to the required auth token - Are long-lived (often ~1 year) - Allow refreshing the token without re-logging in Because of this, cookie-based auth is currently the only practical approach for accessing these endpoints.
kerem commented 2026-03-13 21:16:35 +03:00
Author
Owner
Copy link

@adhamali450 commented on GitHub (Feb 7, 2026):

Just figured out yesterday that they're using the web player API which is different from the public one. Wanted to continue reverse-engineering the player to extract as many information as possible but couldn't work with PHP (I'm not a PHP guy tbh). Forked and re-wrote in Python.
I Will continue exploring their API. I'm more than happy to collaborate on this btw!

<!-- gh-comment-id:3863679490 --> @adhamali450 commented on GitHub (Feb 7, 2026): Just figured out yesterday that they're using the web player API which is different from the public one. Wanted to continue reverse-engineering the player to extract as many information as possible but couldn't work with PHP (I'm not a PHP guy tbh). Forked and re-wrote in Python. I Will continue exploring their API. I'm more than happy to collaborate on this btw!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
copilot/create-job-application-tracker
docs
v2.2.1
v2.2.0
v2.1.4
v2.1.3
v2.1.2
v2.1.1
v2.1.0
v2.0.0
v1.0.1
v1.0.0
Labels
Clear labels   
UPDATES

   
bug

   
bug

   
documentation

   
enhancement

   
hacktoberfest

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
UPDATES
bug
bug
documentation
enhancement
hacktoberfest
help wanted
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/spotify-lyrics-api#126
No description provided.