[GH-ISSUE #11] SP_DC broken again

kerem commented

2026-02-27 20:07:40 +03:00

Owner

Originally created by @WurdahMekanik on GitHub (Jul 1, 2025).
Original GitHub issue: https://github.com/misiektoja/spotify_monitor/issues/11

It looks like the SP_DC token request is broken yet again.

I tried going the route of using proxyman as described in the README, but either I'm not sure how to actually use it, or that doesn't work either. I'm seeing a bunch of traffic to spotify and a bunch of other sites I browse to, but I'm not seeing any POSTs to spotify anywhere. I'd like to see if I can get the protobuf/proxy method working, but could you perhaps add some more details on how to set things up for those of us who are unfamiliar with these tools?

Originally created by @WurdahMekanik on GitHub (Jul 1, 2025). Original GitHub issue: https://github.com/misiektoja/spotify_monitor/issues/11 It looks like the SP_DC token request is broken yet again. I tried going the route of using proxyman as described in the README, but either I'm not sure how to actually use it, or that doesn't work either. I'm seeing a bunch of traffic to spotify and a bunch of other sites I browse to, but I'm not seeing any POSTs to spotify anywhere. I'd like to see if I can get the protobuf/proxy method working, but could you perhaps add some more details on how to set things up for those of us who are unfamiliar with these tools?

kerem

2026-02-27 20:07:40 +03:00

closed this issue
added the
Stale
label

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 1, 2025):

It happened overnight. I am seeing the same thing with the SP_DC cookie method.

But even worse, I didn't get an email warning of the problem, even though it's supposed to do that. This occurred with two different instances with two different cookies (no email warning)

I see this in log:

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
* Error, retrying in 3 minutes: 'refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=962857&totpServer=962857&totpVer=5&sTime=1751291016&cTime=1751291015404&buildDate=2025-06-30&buildVer=web-player_2025-06-30_1751291016000_f96a9ebf'
Timestamp:			Mon, 30 Jun 2025, 08:43:35
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
* Error, retrying in 3 minutes: 'refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=090712&totpServer=090712&totpVer=5&sTime=1751291196&cTime=1751291195880&buildDate=2025-06-30&buildVer=web-player_2025-06-30_1751291196000_6f0dd4d2'
Timestamp:			Mon, 30 Jun 2025, 08:46:36
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
* Error, retrying in 3 minutes: 'refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=488105&totpServer=488105&totpVer=5&sTime=1751291377&cTime=1751291376296&buildDate=2025-06-30&buildVer=web-player_2025-06-30_1751291377000_ce312dfd'
Timestamp:			Mon, 30 Jun 2025, 08:49:36
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
* Error, retrying in 3 minutes: 'refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=222430&totpServer=222430&totpVer=5&sTime=1751291557&cTime=1751291556990&buildDate=2025-06-30&buildVer=web-player_2025-06-30_1751291557000_b1e505da'
Timestamp:			Mon, 30 Jun 2025, 08:52:37
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────

And here is the bit showing that error emails were enabled:

* Email notifications:		[active = True] [inactive = True] [tracked = True]
*				[songs on loop = True] [every song = True] [errors = True]

@tomballgithub commented on GitHub (Jul 1, 2025): It happened overnight. I am seeing the same thing with the SP_DC cookie method. But even worse, I didn't get an email warning of the problem, even though it's supposed to do that. This occurred with two different instances with two different cookies (no email warning) I see this in log: ``` ───────────────────────────────────────────────────────────────────────────────────────────────────────────────── * Error, retrying in 3 minutes: 'refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=962857&totpServer=962857&totpVer=5&sTime=1751291016&cTime=1751291015404&buildDate=2025-06-30&buildVer=web-player_2025-06-30_1751291016000_f96a9ebf' Timestamp: Mon, 30 Jun 2025, 08:43:35 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────── * Error, retrying in 3 minutes: 'refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=090712&totpServer=090712&totpVer=5&sTime=1751291196&cTime=1751291195880&buildDate=2025-06-30&buildVer=web-player_2025-06-30_1751291196000_6f0dd4d2' Timestamp: Mon, 30 Jun 2025, 08:46:36 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────── * Error, retrying in 3 minutes: 'refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=488105&totpServer=488105&totpVer=5&sTime=1751291377&cTime=1751291376296&buildDate=2025-06-30&buildVer=web-player_2025-06-30_1751291377000_ce312dfd' Timestamp: Mon, 30 Jun 2025, 08:49:36 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────── * Error, retrying in 3 minutes: 'refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=222430&totpServer=222430&totpVer=5&sTime=1751291557&cTime=1751291556990&buildDate=2025-06-30&buildVer=web-player_2025-06-30_1751291557000_b1e505da' Timestamp: Mon, 30 Jun 2025, 08:52:37 ───────────────────────────────────────────────────────────────────────────────────────────────────────────────── ``` And here is the bit showing that error emails were enabled: ``` * Email notifications: [active = True] [inactive = True] [tracked = True] * [songs on loop = True] [every song = True] [errors = True] ```

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 1, 2025):

Be advised that I was able to change the token source from COOKIE to CLIENT and use the Protobuf file I created on June 8th, and this works!

@tomballgithub commented on GitHub (Jul 1, 2025): Be advised that I was able to change the token source from COOKIE to CLIENT and use the Protobuf file I created on June 8th, and this works!

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@WurdahMekanik commented on GitHub (Jul 1, 2025):

Be advised that I was able to change the token source from COOKIE to CLIENT and use the Protobuf file I created on June 8th, and this works!

How did you get the protobuf payload? When I use proxyman, I only ever see CONNECT requests to spotify, and never any POSTs

@WurdahMekanik commented on GitHub (Jul 1, 2025): > Be advised that I was able to change the token source from COOKIE to CLIENT and use the Protobuf file I created on June 8th, and this works! How did you get the protobuf payload? When I use proxyman, I only ever see CONNECT requests to spotify, and never any POSTs

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 1, 2025):

@WurdahMekanik I followed the directions and it worked. However, I just tried it again tonight, because I needed this for my 2nd account, and I couldn't get the login connection needed.

The only logins I see are the following, and I tried two accounts multiple times, logging in and out, and restarting the app, and tried both a password and the numeric code login methods.

@tomballgithub commented on GitHub (Jul 1, 2025): @WurdahMekanik I followed the directions and it worked. However, I just tried it again tonight, because I needed this for my 2nd account, and I couldn't get the login connection needed. The only logins I see are the following, and I tried two accounts multiple times, logging in and out, and restarting the app, and tried both a password and the numeric code login methods. ![Image](https://github.com/user-attachments/assets/37216c9d-999c-4962-8688-605c4ae20291)

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@WurdahMekanik commented on GitHub (Jul 1, 2025):

Yep, that's exactly what I always see. I even tried reinstalling spotify after removing the spotify directories from .cache/ and .config/ but it made no difference

@WurdahMekanik commented on GitHub (Jul 1, 2025): Yep, that's exactly what I always see. I even tried reinstalling spotify after removing the spotify directories from .cache/ and .config/ but it made no difference

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 1, 2025):

@WurdahMekanik What's weird is the 'internal error' is because 'login.app.spotify.com' isn't currently a valid domain. And it's not just me, I used NSLOOKUP.IO and each service choice yields the same thing:

@tomballgithub commented on GitHub (Jul 1, 2025): @WurdahMekanik What's weird is the 'internal error' is because 'login.app.spotify.com' isn't currently a valid domain. And it's not just me, I used NSLOOKUP.IO and each service choice yields the same thing: ![Image](https://github.com/user-attachments/assets/18f647f2-2e0a-40ad-a1ee-807ab96a27df)

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 1, 2025):

Hopefully @misiektoja can give us guidance on a plan B for CLIENT mode and getting the necessary info until the cookie situation is fixed.

@tomballgithub commented on GitHub (Jul 1, 2025): Hopefully @misiektoja can give us guidance on a plan B for CLIENT mode and getting the necessary info until the cookie situation is fixed.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@matthewcamilizer commented on GitHub (Jul 1, 2025):

accroding to this, you need these cipher bytes [37, 84, 32, 76, 87, 90, 87, 47, 13, 75, 48, 54, 44, 28, 19, 21, 22] in "generate_totp()"

Spotify always changes TOTP secrets somehow, so you might need a secret dic for further usages, while i still don know how they work😢

def generate_totp():
    import pyotp

    secret_cipher_bytes = {
        "8": [37, 84, 32, 76, 87, 90, 87, 47, 13, 75, 48, 54, 44, 28, 19, 21, 22],

        "7" : [59, 91, 66, 74, 30, 66, 74, 38, 46, 50, 72, 61, 44, 71, 86, 39, 89],

        "6" : [21, 24, 85, 46, 48, 35, 33, 8, 11, 63, 76, 12, 55, 77, 14, 7, 54],
        
        "5" : [12, 56, 76, 33, 88, 44, 88, 33, 78, 78, 11, 66, 22, 22, 55, 69, 54]
        }


    secret_cipher_bytes = secret_cipher_bytes["8"]

@matthewcamilizer commented on GitHub (Jul 1, 2025): accroding to [this](https://github.com/librespot-org/librespot/issues/1475#issuecomment-3021776102), you need these cipher bytes ` [37, 84, 32, 76, 87, 90, 87, 47, 13, 75, 48, 54, 44, 28, 19, 21, 22]` in "generate_totp()" Spotify always changes TOTP secrets somehow, so you might need a secret dic for further usages, while i still don know how they work😢 ``` def generate_totp(): import pyotp secret_cipher_bytes = { "8": [37, 84, 32, 76, 87, 90, 87, 47, 13, 75, 48, 54, 44, 28, 19, 21, 22], "7" : [59, 91, 66, 74, 30, 66, 74, 38, 46, 50, 72, 61, 44, 71, 86, 39, 89], "6" : [21, 24, 85, 46, 48, 35, 33, 8, 11, 63, 76, 12, 55, 77, 14, 7, 54], "5" : [12, 56, 76, 33, 88, 44, 88, 33, 78, 78, 11, 66, 22, 22, 55, 69, 54] } secret_cipher_bytes = secret_cipher_bytes["8"] ```

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 1, 2025):

Hey! So it looks like Spotify has changed things again. I'll dive into it today and let you know.

@misiektoja commented on GitHub (Jul 1, 2025): Hey! So it looks like Spotify has changed things again. I'll dive into it today and let you know.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@WurdahMekanik commented on GitHub (Jul 1, 2025):

Making the change in generate_totp() as suggested by @matthewcamilizer as well as changing params["totpVer"] to 8 in refresh_access_token_from_sp_dc() worked for me. I'm not sure if the params change is actually necessary, but it seemed to me like they should match

@WurdahMekanik commented on GitHub (Jul 1, 2025): Making the change in `generate_totp()` as suggested by @matthewcamilizer as well as changing `params["totpVer"]` to 8 in `refresh_access_token_from_sp_dc()` worked for me. I'm not sure if the params change is actually necessary, but it seemed to me like they should match

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 1, 2025):

Cool news, I'll incorporate it to the code, unless you want to take credit and create a PR for it. 😉

@misiektoja commented on GitHub (Jul 1, 2025): Cool news, I'll incorporate it to the code, unless you want to take credit and create a PR for it. 😉

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@WurdahMekanik commented on GitHub (Jul 1, 2025):

Created PR #12 for this

@WurdahMekanik commented on GitHub (Jul 1, 2025): Created PR #12 for this

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 1, 2025):

Cool, thanks! I just merged it. I'll knock out two more fixes: no emails for refresh token errors and handling those annoying repeating "user disappeared" messages reported by @tomballgithub. After that, I'll make a new release!

@misiektoja commented on GitHub (Jul 1, 2025): Cool, thanks! I just merged it. I'll knock out two more fixes: no emails for refresh token errors and handling those annoying repeating "user disappeared" messages reported by @tomballgithub. After that, I'll make a new release!

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 2, 2025):

This change has COOKIE mode working again.

Can you also verify if the CLIENT mode fetching of the protobuf still works for you with the documented methodology? Per the above, three of us cannot get it to work.

@tomballgithub commented on GitHub (Jul 2, 2025): This change has COOKIE mode working again. Can you also verify if the CLIENT mode fetching of the protobuf still works for you with the documented methodology? Per the above, three of us cannot get it to work.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 2, 2025):

I just released v2.2.1 which fixes the sp_dc cookie method, so I'm closing this one. Thanks to everyone who helped solve it!

Let's continue the discussion about Spotify Desktop client mode in #13.

@misiektoja commented on GitHub (Jul 2, 2025): I just released v2.2.1 which fixes the sp_dc cookie method, so I'm closing this one. Thanks to everyone who helped solve it! Let's continue the discussion about Spotify Desktop client mode in #13.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@Thereallo1026 commented on GitHub (Jul 5, 2025):

FYI: The version 8 cipher bytes will expire on July 7th, which means after July 7th, the bytes array will no longer be a thing.

{
    "validUntil": "2025-07-07T09:00:00.000Z",
    ...
}

Feel free to read more about the latest updates here.

@Thereallo1026 commented on GitHub (Jul 5, 2025): FYI: The version 8 cipher bytes will expire on July 7th, which means after July 7th, the bytes array will no longer be a thing. ```json { "validUntil": "2025-07-07T09:00:00.000Z", ... } ``` Feel free to read more about the latest updates [here](https://github.com/librespot-org/librespot/issues/1475#issuecomment-3038830033).

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 5, 2025):

Thanks Thereallo1026 for the heads-up! I need to catch up on what you're cracking over there.

@misiektoja commented on GitHub (Jul 5, 2025): Thanks Thereallo1026 for the heads-up! I need to catch up on what you're cracking over there.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 7, 2025):

Heads up, in a few hours you might run into that pesky error again because those version 8 cipher bytes are about to expire (as pointed out by Thereallo1026).

In the meantime, I've rolled out new versions of the tools with the updated secret cipher bytes to v10. When you get a chance, go ahead and update.

@misiektoja commented on GitHub (Jul 7, 2025): Heads up, in a few hours you might run into that pesky error again because those version 8 cipher bytes are about to expire (as pointed out by Thereallo1026). In the meantime, I've rolled out new versions of the tools with the updated secret cipher bytes to v10. When you get a chance, go ahead and update.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 7, 2025):

Will CLIENT mode still work without an update?

On Sun, Jul 6, 2025 at 10:18 PM misiektoja @.***> wrote:

misiektoja left a comment (misiektoja/spotify_monitor#11)
https://github.com/misiektoja/spotify_monitor/issues/11#issuecomment-3043360289

Heads up, in a few hours you might run into that pesky error again because
those version 8 cipher bytes are about to expire (as pointed out by
Thereallo1026).

In the meantime, I've rolled out new versions of the tools with the
updated secret cipher bytes to v10. When you get a chance, go ahead and
update.

—
Reply to this email directly, view it on GitHub
https://github.com/misiektoja/spotify_monitor/issues/11#issuecomment-3043360289,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ADVRWS53U4YJFXBOLIYXMOD3HHRH5AVCNFSM6AAAAACAPWJP2CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTANBTGM3DAMRYHE
.
You are receiving this because you were mentioned.Message ID:
@.***>

@tomballgithub commented on GitHub (Jul 7, 2025): Will CLIENT mode still work without an update? On Sun, Jul 6, 2025 at 10:18 PM misiektoja ***@***.***> wrote: > *misiektoja* left a comment (misiektoja/spotify_monitor#11) > <https://github.com/misiektoja/spotify_monitor/issues/11#issuecomment-3043360289> > > Heads up, in a few hours you might run into that pesky error again because > those version 8 cipher bytes are about to expire (as pointed out by > Thereallo1026). > > In the meantime, I've rolled out new versions of the tools with the > updated secret cipher bytes to v10. When you get a chance, go ahead and > update. > > — > Reply to this email directly, view it on GitHub > <https://github.com/misiektoja/spotify_monitor/issues/11#issuecomment-3043360289>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ADVRWS53U4YJFXBOLIYXMOD3HHRH5AVCNFSM6AAAAACAPWJP2CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTANBTGM3DAMRYHE> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 7, 2025):

Will CLIENT mode still work without an update?

Yes, it will.

@misiektoja commented on GitHub (Jul 7, 2025): > Will CLIENT mode still work without an update? Yes, it will.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 10, 2025):

It would be cool if there was a way to automagically update the method used without having to update/restart. For example, the tool could download updated information and utilize it, or we could manually insert it into a separate file and refresh it via a Signal like with .env.

OR maybe more realistically, the option to switch to CLIENT mode automatically any time the COOKIE method fails (failover to a backup authentication method)

@tomballgithub commented on GitHub (Jul 10, 2025): It would be cool if there was a way to automagically update the method used without having to update/restart. For example, the tool could download updated information and utilize it, or we could manually insert it into a separate file and refresh it via a Signal like with .env. OR maybe more realistically, the option to switch to CLIENT mode automatically any time the COOKIE method fails (failover to a backup authentication method)

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 10, 2025):

As we now have a way to automatically extract secret keys used for TOTP generation in cookie mode (see here) I was also thinking about implementing it in the code. For now, I've moved the secret cipher bytes for the web-player endpoint to the configuration section. This way, we can update it without needing new code.

It is definitely a good idea to have an automatic way to switch to another configured method too. Something to think about for the future.

@misiektoja commented on GitHub (Jul 10, 2025): As we now have a way to automatically extract secret keys used for TOTP generation in `cookie` mode (see [here](https://github.com/librespot-org/librespot/issues/1475#issuecomment-3053296920)) I was also thinking about implementing it in the code. For now, I've moved the secret cipher bytes for the web-player endpoint to the configuration section. This way, we can update it without needing new code. It is definitely a good idea to have an automatic way to switch to another configured method too. Something to think about for the future.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 10, 2025):

Amazing RE work on that other thread. Interesting to read...

@tomballgithub commented on GitHub (Jul 10, 2025): Amazing RE work on that other thread. Interesting to read...

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 11, 2025):

I was running latest code but I received sp_dc errors overnight. Switching to CLIENT got me running again.

@tomballgithub commented on GitHub (Jul 11, 2025): I was running latest code but I received sp_dc errors overnight. Switching to CLIENT got me running again.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 11, 2025):

It appears Spotify is now rotating secret keys used for TOTP generation every two days (our SECRET_CIPHER_DICT config option). I just dropped a new version with the v11 and v12 secret keys a couple of days back, it still works with both of them, meanwhile v10 expired (most likely what you have) and it looks like they decided to jump to v13 already.

Here are current secret keys:

{
  "11": [111, 45, 40, 73, 95, 74, 35, 85, 105, 107, 60, 110, 55, 72, 69, 70, 114, 83, 63, 88, 91],
  "12": [107, 81, 49, 57, 67, 93, 87, 81, 69, 67, 40, 93, 48, 50, 46, 91, 94, 113, 41, 108, 77, 107, 34],
  "13": [59, 92, 64, 70, 99, 78, 117, 75, 99, 103, 116, 67, 103, 51, 87, 63, 93, 59, 70, 45, 32]
}

So I need to tweak the code to work with the PoC tool (spotify_monitor_secret_grabber), that I whipped up a few days ago to snag those new secrets automatically. I've already put the necessary code in spotify_monitor_totp_test yesterday, so the code template is ready to be migrated to spotify_monitor and spotify_profile_monitor. Problem is I'm not so conviced to this as running it isn't exactly light, i.e. it runs in the background heavy, headless web browser.

Thinking maybe we could auto-publish the secrets using GitHub Actions, tossing them into a file, kinda like what @Thereallo1026 did here. So basically, GitHub Actions would grab the new secrets every few hours and then our tool would have a nice little spot to fetch them from (or we simply use the secrets from Thereallo1026's repo).

Let's see, I will try to give it some thoughts over the weekend.

@misiektoja commented on GitHub (Jul 11, 2025): It appears Spotify is now rotating secret keys used for TOTP generation every two days (our `SECRET_CIPHER_DICT` config option). I just dropped a new version with the v11 and v12 secret keys a couple of days back, it still works with both of them, meanwhile v10 expired (most likely what you have) and it looks like they decided to jump to v13 already. Here are current secret keys: ```python { "11": [111, 45, 40, 73, 95, 74, 35, 85, 105, 107, 60, 110, 55, 72, 69, 70, 114, 83, 63, 88, 91], "12": [107, 81, 49, 57, 67, 93, 87, 81, 69, 67, 40, 93, 48, 50, 46, 91, 94, 113, 41, 108, 77, 107, 34], "13": [59, 92, 64, 70, 99, 78, 117, 75, 99, 103, 116, 67, 103, 51, 87, 63, 93, 59, 70, 45, 32] } ``` So I need to tweak the code to work with the PoC tool ([spotify_monitor_secret_grabber](https://github.com/misiektoja/spotify_monitor/blob/main/debug/spotify_monitor_secret_grabber.py)), that I whipped up a few days ago to snag those new secrets automatically. I've already put the necessary code in [spotify_monitor_totp_test](https://github.com/misiektoja/spotify_monitor/blob/main/debug/spotify_monitor_totp_test.py) yesterday, so the code template is ready to be migrated to spotify_monitor and spotify_profile_monitor. Problem is I'm not so conviced to this as running it isn't exactly light, i.e. it runs in the background heavy, headless web browser. Thinking maybe we could auto-publish the secrets using GitHub Actions, tossing them into a file, kinda like what @Thereallo1026 did [here](https://github.com/Thereallo1026/spotify-secrets). So basically, GitHub Actions would grab the new secrets every few hours and then our tool would have a nice little spot to fetch them from (or we simply use the secrets from Thereallo1026's repo). Let's see, I will try to give it some thoughts over the weekend.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 11, 2025):

I updated a few days ago when you sent that note about the upcoming change, but I just updated to the latest and it's working.

@tomballgithub commented on GitHub (Jul 11, 2025): I updated a few days ago when you sent that note about the upcoming change, but I just updated to the latest and it's working.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 14, 2025):

I raised a PR in Thereallo1026's repo, so now there's a new JSON endpoint that returns a Python-friendly dict object with the current secrets: secretDict.json.

I just rolled out new versions of the tools that tap into her repo and automatically update the secrets needed for TOTP generation (URL is defined in SECRET_CIPHER_DICT_URL).

If you're using an older version, you can just grab the file contents mentioned and pop it right into SECRET_CIPHER_DICT. No need to run the spotify_monitor_secret_grabber utility anymore.

Let's see how long it'll work 😉

@misiektoja commented on GitHub (Jul 14, 2025): I raised a [PR](https://github.com/Thereallo1026/spotify-secrets/pull/1) in Thereallo1026's [repo](https://github.com/Thereallo1026/spotify-secrets), so now there's a new JSON endpoint that returns a Python-friendly dict object with the current secrets: [secretDict.json](https://raw.githubusercontent.com/Thereallo1026/spotify-secrets/refs/heads/main/secrets/secretDict.json). I just rolled out new versions of the tools that tap into her repo and automatically update the secrets needed for TOTP generation (URL is defined in `SECRET_CIPHER_DICT_URL`). If you're using an older version, you can just grab the file contents mentioned and pop it right into `SECRET_CIPHER_DICT`. No need to run the `spotify_monitor_secret_grabber` utility anymore. Let's see how long it'll work 😉

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 14, 2025):

Is there a date at which we know the next change is coming so we can verify the automatic secret update worked?

@tomballgithub commented on GitHub (Jul 14, 2025): Is there a date at which we know the next change is coming so we can verify the automatic secret update worked?

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 15, 2025):

You should be able to test it now since the v12 cipher just expired. It's the latest one I added to SECRET_CIPHER_DICT, so all the others are being fetched from a remote URL. The current secrets:

SECRET_CIPHER_DICT = {
  "13": [59, 92, 64, 70, 99, 78, 117, 75, 99, 103, 116, 67, 103, 51, 87, 63, 93, 59, 70, 45, 32],
  "14": [62, 54, 109, 83, 107, 77, 41, 103, 45, 93, 114, 38, 41, 97, 64, 51, 95, 94, 95, 94],
  "15": [53, 57, 79, 64, 54, 84, 97, 56, 53, 106, 50, 49, 98, 56, 83, 66, 37, 100, 68, 83, 65, 61, 39, 61, 51, 107, 80, 119, 92, 118]
}

You can check it by setting SECRET_CIPHER_DICT_URL to empty string:

SECRET_CIPHER_DICT_URL = ""

The tool's gonna fail because v12 expired and it's the latest manually defined secret. If you add those v13-v15 secrets or get that download back from the remote URL, it'll work again.

@misiektoja commented on GitHub (Jul 15, 2025): You should be able to test it now since the v12 cipher just expired. It's the latest one I added to `SECRET_CIPHER_DICT`, so all the others are being fetched from a remote URL. The current secrets: ```python SECRET_CIPHER_DICT = { "13": [59, 92, 64, 70, 99, 78, 117, 75, 99, 103, 116, 67, 103, 51, 87, 63, 93, 59, 70, 45, 32], "14": [62, 54, 109, 83, 107, 77, 41, 103, 45, 93, 114, 38, 41, 97, 64, 51, 95, 94, 95, 94], "15": [53, 57, 79, 64, 54, 84, 97, 56, 53, 106, 50, 49, 98, 56, 83, 66, 37, 100, 68, 83, 65, 61, 39, 61, 51, 107, 80, 119, 92, 118] } ``` You can check it by setting `SECRET_CIPHER_DICT_URL` to empty string: ```python SECRET_CIPHER_DICT_URL = "" ``` The tool's gonna fail because v12 expired and it's the latest manually defined secret. If you add those v13-v15 secrets or get that download back from the remote URL, it'll work again.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 15, 2025):

All my instances went down which is expected per your note. I'll try to get them back up, but I thought it was supposed to keep going automagically with the latest code bases?

@tomballgithub commented on GitHub (Jul 15, 2025): All my instances went down which is expected per your note. I'll try to get them back up, but I thought it was supposed to keep going automagically with the latest code bases?

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@misiektoja commented on GitHub (Jul 15, 2025):

Yes, it should work automatically with the latest code bases, but it seems like Spotify is doing some strange stuff with their infra as we speak. The v13-v14 secrets weren't working for a while, but now they're back in action. However, v15 isn't showing up on my extractor anymore (so it also disappeared from the secretDict.json file). They've probably tweaked something to hide it, although the v15 secret itself still works. Clearly, they're trying to block it. This is going to be a never-ending battle! 😉

Anyway, the tools appear to work again, let's see for how long ...

@misiektoja commented on GitHub (Jul 15, 2025): Yes, it should work automatically with the latest code bases, but it seems like Spotify is doing some strange stuff with their infra as we speak. The v13-v14 secrets weren't working for a while, but now they're back in action. However, v15 isn't showing up on my extractor anymore (so it also disappeared from the [secretDict.json](https://raw.githubusercontent.com/Thereallo1026/spotify-secrets/refs/heads/main/secrets/secretDict.json) file). They've probably tweaked something to hide it, although the v15 secret itself still works. Clearly, they're trying to block it. This is going to be a never-ending battle! 😉 Anyway, the tools appear to work again, let's see for how long ...

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 15, 2025):

I was able to get everything up with the latest code using the auto updating via SECRET_CIPHER_DICT_URL. I had neglected to put the latest changes into my .conf file and SECRET_CIPHER_DICT_URL was "".

@tomballgithub commented on GitHub (Jul 15, 2025): I was able to get everything up with the latest code using the auto updating via SECRET_CIPHER_DICT_URL. I had neglected to put the latest changes into my .conf file and SECRET_CIPHER_DICT_URL was "".

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@tomballgithub commented on GitHub (Jul 15, 2025):

@misiektoja I think it would be a good idea to put something in the log when new secrets are fetched. I only see logging occurring for this during exception handling.

@tomballgithub commented on GitHub (Jul 15, 2025): @misiektoja I think it would be a good idea to put something in the log when new secrets are fetched. I only see logging occurring for this during exception handling.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Aug 15, 2025):

This issue has been marked as stale because it has been inactive for 30 days. It will be closed in 7 days if no further activity occurs.

@github-actions[bot] commented on GitHub (Aug 15, 2025): This issue has been marked as stale because it has been inactive for 30 days. It will be closed in 7 days if no further activity occurs.

kerem commented

2026-02-27 20:07:41 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Aug 23, 2025):

Closing this issue due to inactivity. Feel free to reopen if needed.

@github-actions[bot] commented on GitHub (Aug 23, 2025): Closing this issue due to inactivity. Feel free to reopen if needed.

Rows
Columns

[GH-ISSUE #11] SP_DC broken again #11