[GH-ISSUE #27] API Looks broken again #18

New issue

Closed

opened 2026-02-27 20:07:42 +03:00 by kerem · 29 comments

kerem commented 2026-02-27 20:07:42 +03:00

Owner

Copy link

Originally created by @tomballgithub on GitHub (Dec 22, 2025).
Original GitHub issue: https://github.com/misiektoja/spotify_monitor/issues/27

The API stopped working for me today with the latest codes from spotify_monitor_secret_grabber.py

{"59":[123,105,79,70,110,59,52,125,60,49,80,70,89,75,80,86,63,53,123,37,117,49,52,93,77,62,47,86,48,104,68,72],"60":[79,109,69,123,90,65,46,74,94,34,58,48,70,71,92,85,122,63,91,64,87,87],"61":[44,55,47,42,70,40,34,114,76,74,50,111,120,97,75,76,94,102,43,69,49,120,118,80,64,78]}

Originally created by @tomballgithub on GitHub (Dec 22, 2025). Original GitHub issue: https://github.com/misiektoja/spotify_monitor/issues/27 The API stopped working for me today with the latest codes from **spotify_monitor_secret_grabber.py** `{"59":[123,105,79,70,110,59,52,125,60,49,80,70,89,75,80,86,63,53,123,37,117,49,52,93,77,62,47,86,48,104,68,72],"60":[79,109,69,123,90,65,46,74,94,34,58,48,70,71,92,85,122,63,91,64,87,87],"61":[44,55,47,42,70,40,34,114,76,74,50,111,120,97,75,76,94,102,43,69,49,120,118,80,64,78]}`

kerem closed this issue 2026-02-27 20:07:42 +03:00

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@misiektoja commented on GitHub (Dec 23, 2025):

Hey, I already commented in other thread here.

<!-- gh-comment-id:3684709452 --> @misiektoja commented on GitHub (Dec 23, 2025): Hey, I already commented in other thread [here](https://github.com/librespot-org/librespot/discussions/1562#discussioncomment-15322356).

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 23, 2025):

@misiektoja
You mentioned 429's at that link, but FYI I am seeing this (400) from 'spotify_profile_monitor' and 'spotify_monitor'.

I've been using 'cookie' method.

* Error: sp_dc may be invalid/expired or Spotify has broken sth again! Failed to obtain a valid Spotify access token after 3 attempts: refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=011654&totpServer=011654&totpVer=0&sTime=1766458607&cTime=1766458606538&buildDate=2025-12-23&buildVer=web-player_2025-12-23_1766458607000_ddb1c8d5

<!-- gh-comment-id:3684874428 --> @tomballgithub commented on GitHub (Dec 23, 2025): @misiektoja You mentioned 429's at that link, but FYI I am seeing this (400) from 'spotify_profile_monitor' and 'spotify_monitor'. I've been using 'cookie' method. `* Error: sp_dc may be invalid/expired or Spotify has broken sth again! Failed to obtain a valid Spotify access token after 3 attempts: refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=011654&totpServer=011654&totpVer=0&sTime=1766458607&cTime=1766458606538&buildDate=2025-12-23&buildVer=web-player_2025-12-23_1766458607000_ddb1c8d5`

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@0xXiHan commented on GitHub (Dec 23, 2025):

@misiektoja You mentioned 429's at that link, but FYI I am seeing this (400) from 'spotify_profile_monitor':

* Error: sp_dc may be invalid/expired or Spotify has broken sth again! Failed to obtain a valid Spotify access token after 3 attempts: refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=011654&totpServer=011654&totpVer=0&sTime=1766458607&cTime=1766458606538&buildDate=2025-12-23&buildVer=web-player_2025-12-23_1766458607000_ddb1c8d5

I also encountered the same problem early this morning, to the point that all related services were suspended.

<!-- gh-comment-id:3684926389 --> @0xXiHan commented on GitHub (Dec 23, 2025): > [@misiektoja](https://github.com/misiektoja) You mentioned 429's at that link, but FYI I am seeing this (400) from 'spotify_profile_monitor': > > `* Error: sp_dc may be invalid/expired or Spotify has broken sth again! Failed to obtain a valid Spotify access token after 3 attempts: refresh_access_token_from_sp_dc(): Unsuccessful token request: 400 Client Error: Bad Request for url: https://open.spotify.com/api/token?reason=init&productType=web-player&totp=011654&totpServer=011654&totpVer=0&sTime=1766458607&cTime=1766458606538&buildDate=2025-12-23&buildVer=web-player_2025-12-23_1766458607000_ddb1c8d5` I also encountered the same problem early this morning, to the point that all related services were suspended.

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@0xXiHan commented on GitHub (Dec 23, 2025):

Is Spotify conducting large-scale account risk control today?

<!-- gh-comment-id:3684947327 --> @0xXiHan commented on GitHub (Dec 23, 2025): Is Spotify conducting large-scale account risk control today?

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 23, 2025):

The thing is, the web page using the same sp_dc cookie without issue. There could be something new going on with the requests that are unrelated to the token.

<!-- gh-comment-id:3685017245 --> @tomballgithub commented on GitHub (Dec 23, 2025): The thing is, the web page using the same sp_dc cookie without issue. There could be something new going on with the requests that are unrelated to the token.

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 24, 2025):

FWIW, spotify_profile_monitor works with both oauth_app and oauth_user with the known limitations.

Client and Cookie mode do not work, which are the only supported modes for spotify_monitor

<!-- gh-comment-id:3688257885 --> @tomballgithub commented on GitHub (Dec 24, 2025): FWIW, spotify_profile_monitor works with both oauth_app and oauth_user with the known limitations. Client and Cookie mode do not work, which are the only supported modes for spotify_monitor

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 24, 2025):

@misiektoja I emailed you some sample code that is working

<!-- gh-comment-id:3690477179 --> @tomballgithub commented on GitHub (Dec 24, 2025): @misiektoja I emailed you some sample code that is working

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@misiektoja commented on GitHub (Dec 25, 2025):

Hey, I checked quickly how SpotifyFLAC fixed it. They essentially switched from the open.spotify.com endpoint (TOTP-based), to the official Spotify Web API using the Client Credentials OAuth flow - it is the oauth_app already implemented in spotify_profile_monitor. However, this does not allow fetching friends' listening activity, i.e. we need user-authenticated tokens (via sp_dc cookie or refresh token), so it does not really help in spotify_monitor.

It looks like a more complex task since I need to examine the JS client side and Spotify app to determine their current behaviour. Hopefully, we can restore at least one option (cookie or client). However, even if we manage to get it working again, I am concerned that they might have blocked many endpoints, as @Thereallo1026 mentioned in the email I received.

<!-- gh-comment-id:3690791951 --> @misiektoja commented on GitHub (Dec 25, 2025): Hey, I checked quickly how SpotifyFLAC fixed it. They essentially switched from the open.spotify.com endpoint (TOTP-based), to the official Spotify Web API using the Client Credentials OAuth flow - it is the oauth_app already implemented in spotify_profile_monitor. However, this does not allow fetching friends' listening activity, i.e. we need user-authenticated tokens (via sp_dc cookie or refresh token), so it does not really help in spotify_monitor. It looks like a more complex task since I need to examine the JS client side and Spotify app to determine their current behaviour. Hopefully, we can restore at least one option (cookie or client). However, even if we manage to get it working again, I am concerned that they might have blocked many endpoints, as @Thereallo1026 mentioned in the email I received.

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@0xXiHan commented on GitHub (Dec 25, 2025):

Are there any new solutions for obtaining auth token now? @misiektoja

<!-- gh-comment-id:3690808015 --> @0xXiHan commented on GitHub (Dec 25, 2025): Are there any new solutions for obtaining auth token now? @misiektoja

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@misiektoja commented on GitHub (Dec 25, 2025):

I briefly examined the network traffic from open.spotify.com and it appears that a client-token is now required in the request headers for many endpoints. We need to figure out how it is assigned. I will try to look into it more deeply in a few days. We have Christmas here and I am going from place to place visiting family ;-)

<!-- gh-comment-id:3690815133 --> @misiektoja commented on GitHub (Dec 25, 2025): I briefly examined the network traffic from open.spotify.com and it appears that a client-token is now required in the request headers for many endpoints. We need to figure out how it is assigned. I will try to look into it more deeply in a few days. We have Christmas here and I am going from place to place visiting family ;-)

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@0xXiHan commented on GitHub (Dec 25, 2025):

I briefly examined the network traffic from open.spotify.com and it appears that a client-token is now required in the request headers for many endpoints. We need to figure out how it is assigned. I will try to look into it more deeply in a few days. We have Christmas here and I am going from place to place visiting family ;-)

Thank you so much, bro! Your project has been a huge help to me. Merry Christmas to you!

<!-- gh-comment-id:3690819031 --> @0xXiHan commented on GitHub (Dec 25, 2025): > I briefly examined the network traffic from open.spotify.com and it appears that a client-token is now required in the request headers for many endpoints. We need to figure out how it is assigned. I will try to look into it more deeply in a few days. We have Christmas here and I am going from place to place visiting family ;-) Thank you so much, bro! Your project has been a huge help to me. Merry Christmas to you!

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@Thereallo1026 commented on GitHub (Dec 25, 2025):

I briefly examined the network traffic from open.spotify.com and it appears that a client-token is now required in the request headers for many endpoints. We need to figure out how it is assigned. I will try to look into it more deeply in a few days. We have Christmas here and I am going from place to place visiting family ;-)

Client token comes from https://clienttoken.spotify.com/v1/clienttoken:

export interface Payload {
  client_data: {
    client_version: string;
    client_id: string;
    js_sdk_data: JsSdkData;
  };
}

interface JsSdkData {
  device_brand: string;
  device_model: string;
  os: string;
  os_version: string;
  device_id: string;
  device_type: string;
}

export interface Response {
  response_type: string;
  granted_token: GrantedToken;
}

interface GrantedToken {
  token: string;
  expires_after_seconds: number;
  refresh_after_seconds: number;
  domains: {
    domain: string;
  }[];
}

And two endpoints for server time:

• https://gae2-spclient.spotify.com/melody/v1/time (Requires auth headers)
• https://open.spotify.com/api/server-time

Data comes from https://api-partner.spotify.com/pathfinder/v2/query (GraphQL, requires both client-token and authorization header, and sha256Hash in request payload)

Merry Christmas, cheers 🙌

<!-- gh-comment-id:3690823755 --> @Thereallo1026 commented on GitHub (Dec 25, 2025): > I briefly examined the network traffic from open.spotify.com and it appears that a client-token is now required in the request headers for many endpoints. We need to figure out how it is assigned. I will try to look into it more deeply in a few days. We have Christmas here and I am going from place to place visiting family ;-) Client token comes from `https://clienttoken.spotify.com/v1/clienttoken`: ```ts export interface Payload { client_data: { client_version: string; client_id: string; js_sdk_data: JsSdkData; }; } interface JsSdkData { device_brand: string; device_model: string; os: string; os_version: string; device_id: string; device_type: string; } ``` ```ts export interface Response { response_type: string; granted_token: GrantedToken; } interface GrantedToken { token: string; expires_after_seconds: number; refresh_after_seconds: number; domains: { domain: string; }[]; } ``` And two endpoints for server time: - `https://gae2-spclient.spotify.com/melody/v1/time` (Requires auth headers) - `https://open.spotify.com/api/server-time` Data comes from `https://api-partner.spotify.com/pathfinder/v2/query` (GraphQL, requires both `client-token` and `authorization` header, and `sha256Hash` in request payload) Merry Christmas, cheers 🙌

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 25, 2025):

I have been looking at the requests and responses of the web interface and python code using 'Proxyman'. Here are a sample good requests and responses associated with the URLs @Thereallo1026 shared above. All of these were using the web interface.

Additionally, comparing the TOTP between the spotify web interface and the python code, the generated TOTP's are definitely different. Not a surprise, but I wanted to mention & confirm it.

https://clienttoken.spotify.com/v1/clienttoken

POST /v1/clienttoken HTTP/1.1
Host: clienttoken.spotify.com
Connection: keep-alive
Content-Length: 280
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0
accept: application/json
sec-ch-ua: "Microsoft Edge";v="143", "Chromium";v="143", "Not A(Brand";v="24"
content-type: application/json
sec-ch-ua-mobile: ?0
Origin: https://open.spotify.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://open.spotify.com/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9

{
  "client_data": {
    "client_version": "1.2.80.333.g6d8aabfd",
    "client_id": "d8a5ed958d274c2e8ee717e6a4b0971d",
    "js_sdk_data": {
      "device_brand": "unknown",
      "device_model": "unknown",
      "os": "windows",
      "os_version": "NT 10.0",
      "device_id": "f84c52d20acf6d2d5c9baa0fea01837e",
      "device_type": "computer"
    }
  }
}

HTTP/1.1 200 OK
content-type: application/json
cache-control: private, max-age=0
content-encoding: gzip
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
access-control-allow-origin: https://open.spotify.com
date: Thu, 25 Dec 2025 04:18:13 GMT
server: envoy
via: HTTP/2 edgeproxy, 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Transfer-Encoding: chunked

{
  "response_type": "RESPONSE_GRANTED_TOKEN_RESPONSE",
  "granted_token": {
    "token": "AAAbzigQcp43qxY1ZBzhYSY1ZaqEIyVWneH5wbVOMOPInXTuqRtTeDXv/EjNOYlnRkiCAZ3k/d9xEd2H5pFB2yiGSwuR/IaiTMHSK8zELrMSNJ9BCK01iZOA025hoXL6y5UmXByWFtdJKWjxNhLgQ7XizJXuzkAnTzNZkh7Ib/uc26Hmyd12GutMeivRF7fv55NLbjkfxbsmIxZNwM5Q2SBxzxJivETiAhxsXX9v2DvaWDlfCdm81TG522lK/TQSIf2Yd+DAVH/gCA9Z0yOuRMqxzEh7nutZGT6Trm554PAYXlvsYbZLzWsDOyMjI4FH56TZR1OtZZBHIDUZVxpiqWvZbBnuMA==",
    "expires_after_seconds": 1216800,
    "refresh_after_seconds": 1209600,
    "domains": [
      {
        "domain": "spotify.com"
      },
      {
        "domain": "spotify.net"
      }
    ]
  }
}

With the web interface, I am seeing requests to https://open.spotify.com/api/token?reason=init to get the token. This is where I am seeing a TOTP that doesn't match the python code when generated at the same time. For example:

GET /api/token?reason=init&productType=web-player&totp=830346&totpServer=830346&totpVer=61 HTTP/1.1
Host: open.spotify.com
Connection: keep-alive
sentry-trace: ec4eb541a6b9408ca848e6332ca4e8cb-a0528d8a1c235a1b-0
sec-ch-ua-platform: "Windows"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0
sec-ch-ua: "Microsoft Edge";v="143", "Chromium";v="143", "Not A(Brand";v="24"
sec-ch-ua-mobile: ?0
baggage: sentry-environment=production,sentry-release=open-server_2025-12-25_1766630402614_6d8aabf,sentry-public_key=de32132fc06e4b28965ecf25332c3a25,sentry-trace_id=ec4eb541a6b9408ca848e6332ca4e8cb,sentry-org_id=22381,sentry-sampled=false,sentry-sample_rand=0.7571096004420138,sentry-sample_rate=0.008
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://open.spotify.com/?flow_ctx=5483b6cc-01eb-4ead-977f-bda39abef4bf%3A1766657092
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9
Cookie: sp_t=f84c52d20acf6d2d5c9baa0fea01837e; sp_m=us; sp_adid=3ba3f1c6-9799-4709-bfb9-ebf1c8050582; _hjSessionUser_5038406=eyJpZCI6IjZhZGI1NjQyLTZmYTUtNWJjZC1iMTUxLWI4ZTMxNzA4Mzc0YSIsImNyZWF0ZWQiOjE3NjUwNDcyMDkxMTIsImV4aXN0aW5nIjp0cnVlfQ==; sp_gaid=0088fcb7caa24dea471f240bd9ab8a86b6baba5255a834f7715fc6; _gid=GA1.2.236960025.1766612821; _ga=GA1.1.261897654.1747616580; _ga_BMC5VGR8YS=GS2.2.s1766612821$o7$g0$t1766612821$j60$l0$h0; _ga_LJDH9SQRHZ=GS2.1.s1766612820$o7$g1$t1766612847$j33$l0$h0; _ga_ZWRF3NLZJZ=GS2.1.s1766610650$o21$g1$t1766613124$j51$l0$h0; sp_landing=https%3A%2F%2Fopen.spotify.com%2Ftrack%2F1rUWJ63uulmHgHwea5OeqB; sp_dc=AQAdxtRwnE8ncl8WKP0Jqz32H7_Yj6Nhr5G9Bdo6kgpg2fDd6eTbyCTWfeYOwj-yeHGhZf9Qqious_3XE5ddzmrX-CpyIP-tR8g65WCLFx-NF0yDIRBj4dCUrqTwhrEMrxgpGu1_6U76Wm08Bhw_otoVtMuAJ_-9hmcpBi0n_CMkHIRMn34sfyPOLmC_vmcNA6aXGLkhxtAFS98aZ8I; sp_key=2b3b5227-ed7d-4e10-9ea8-a133f42069b1; OptanonConsent=isGpcEnabled=0&datestamp=Wed+Dec+24+2025+22%3A16%3A49+GMT-0600+(Central+Standard+Time)&version=202411.2.0&browserGpcFlag=0&isIABGlobal=false&hosts=&landingPath=NotLandingPage&groups=t00%3A1%2Ci00%3A1%2Cs00%3A1%2Cf00%3A1%2Cm00%3A1%2Cf11%3A1%2CBG169%3A1%2CBG170%3A1&AwaitingReconsent=false

HTTP/1.1 200 OK
Connection: keep-alive
server: envoy
x-content-type-options: nosniff
content-encoding: gzip
via: HTTP/1.1 fringe, HTTP/2 edgeproxy, 1.1 google, 1.1 varnish
content-type: application/json; charset=utf-8
strict-transport-security: max-age=31536000
x-envoy-upstream-service-time: 174
Accept-Ranges: bytes
Date: Thu, 25 Dec 2025 04:17:44 GMT
X-Served-By: cache-iah17283-IAH, cache-iah1720094-IAH
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1766636264.761516,VS0,VE250
Vary: Accept-Encoding
transfer-encoding: chunked

{
  "clientId": "d8a5ed958d274c2e8ee717e6a4b0971d",
  "accessToken": "BQDt6FpbFqEVCgNRjtu3UnKxmV8cCKKXs0NWL5iKsbiWDxNTHVDVhU7PwBd9qNze6PleXepblh6qDmcW7K5AFr-TLJStVgYJXQ0OGmQMedY6TIpqoXlFPyrZEzcE_rY5GoSx219aGKPS5sUHSLEtdgH5S3HrvUFIYqHwg3Y6XVPSRTMXK-iYFevfE46ODT0-_YU3WRt-jzOvjDZ6fFZfmHjEYVfhHeO1ISK6H3jKEMpxRM_HvVPLoIHqrL9DdIhRWg7EJgL2jqzieeGbmlQi1WdspQtJxNoh9n-T-RizE5ILyjPfntwz1gEPvC1XTF4ShwdycNM7GVg4nILSEbn1U-VUnA-wtytM931JTfu03bapvGHCmROyR3DYQg",
  "accessTokenExpirationTimestampMs": 1766638804772,
  "isAnonymous": false,
  "_notes": "Usage of this endpoint is not permitted under the Spotify Developer Terms and Developer Policy, and applicable law"
}

For time, I am seeing https://guc3-spclient.spotify.com/melody/v1/time with the Spotify web browser version:

GET /melody/v1/time HTTP/1.1
Host: guc3-spclient.spotify.com
Connection: keep-alive
sec-ch-ua-platform: "Windows"
authorization: Bearer BQDt6FpbFqEVCgNRjtu3UnKxmV8cCKKXs0NWL5iKsbiWDxNTHVDVhU7PwBd9qNze6PleXepblh6qDmcW7K5AFr-TLJStVgYJXQ0OGmQMedY6TIpqoXlFPyrZEzcE_rY5GoSx219aGKPS5sUHSLEtdgH5S3HrvUFIYqHwg3Y6XVPSRTMXK-iYFevfE46ODT0-_YU3WRt-jzOvjDZ6fFZfmHjEYVfhHeO1ISK6H3jKEMpxRM_HvVPLoIHqrL9DdIhRWg7EJgL2jqzieeGbmlQi1WdspQtJxNoh9n-T-RizE5ILyjPfntwz1gEPvC1XTF4ShwdycNM7GVg4nILSEbn1U-VUnA-wtytM931JTfu03bapvGHCmROyR3DYQg
client-token: AAAbzigQcp43qxY1ZBzhYSY1ZaqEIyVWneH5wbVOMOPInXTuqRtTeDXv/EjNOYlnRkiCAZ3k/d9xEd2H5pFB2yiGSwuR/IaiTMHSK8zELrMSNJ9BCK01iZOA025hoXL6y5UmXByWFtdJKWjxNhLgQ7XizJXuzkAnTzNZkh7Ib/uc26Hmyd12GutMeivRF7fv55NLbjkfxbsmIxZNwM5Q2SBxzxJivETiAhxsXX9v2DvaWDlfCdm81TG522lK/TQSIf2Yd+DAVH/gCA9Z0yOuRMqxzEh7nutZGT6Trm554PAYXlvsYbZLzWsDOyMjI4FH56TZR1OtZZBHIDUZVxpiqWvZbBnuMA==
sec-ch-ua: "Microsoft Edge";v="143", "Chromium";v="143", "Not A(Brand";v="24"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0
sec-ch-ua-mobile: ?0
Accept: */*
Origin: https://open.spotify.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://open.spotify.com/
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9

HTTP/1.1 200 OK
content-type: application/json
cache-control: private, max-age=0
access-control-allow-origin: https://open.spotify.com
access-control-allow-headers: Accept, App-Platform, Authorization, client-token, content-access-token, Content-Type, Origin, Retry-After, SPA-Preferred-Publisher, Spotify-App, Spotify-App-Version, spotify-org-uri, X-ClientAttribute-Version, X-Client-Id, x-cloud-trace-context, X-Cloud-Trace-Context, X-Geo-Country, X-Installation-Id, x-permission-grant-token, X-Spotify-Additional-Idp, X-Spotify-Connection-Id, X-Spotify-Quicksilver-Uri, x-twitch-jwt
access-control-allow-methods: POST, GET, OPTIONS, PUT, HEAD, DELETE, PATCH
access-control-allow-credentials: true
access-control-max-age: 604800
Content-Length: 27
server-timing: edge;dur=1
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
date: Thu, 25 Dec 2025 04:18:19 GMT
server: envoy
via: HTTP/2 edgeproxy, 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{
  "timestamp": 1766636299837
}

For time, if I manually do a request to https://open.spotify.com/api/server-time:

GET /api/server-time HTTP/1.1
Host: open.spotify.com
Connection: close

HTTP/1.1 200 OK
Connection: close
Content-Length: 25
strict-transport-security: max-age=31536000
set-cookie: sp_t=194e171c-b64a-4b3f-92f1-ab5f5f557c71; Path=/; Domain=.spotify.com; Max-Age=31536000; Expires=Fri, 25 Dec 2026 19:57:17 GMT; Secure
set-cookie: sp_new=1; Path=/; Domain=.spotify.com; Max-Age=86400; Expires=Fri, 26 Dec 2025 19:57:17 GMT; Secure
set-cookie: sp_landing=https%3A%2F%2Fopen.spotify.com%2Fapi%2Fserver-time; Path=/; Domain=.spotify.com; Max-Age=86400; Expires=Fri, 26 Dec 2025 19:57:17 GMT; Secure; HttpOnly
content-type: application/json; charset=utf-8
via: HTTP/1.1 fringe, HTTP/2 edgeproxy, 1.1 google, 1.1 varnish
x-envoy-upstream-service-time: 3
x-content-type-options: nosniff
server: envoy
Accept-Ranges: bytes
Date: Thu, 25 Dec 2025 19:57:17 GMT
X-Served-By: cache-iah1720142-IAH, cache-iah17264-IAH
X-Cache: MISS, MISS
X-Cache-Hits: 0, 0
X-Timer: S1766692637.075749,VS0,VE73
Vary: Accept-Encoding

{
  "serverTime": 1766692637
}

https://api-partner.spotify.com/pathfinder/v2/query:

POST /pathfinder/v2/query HTTP/1.1
Host: api-partner.spotify.com
Connection: keep-alive
Content-Length: 178
sec-ch-ua-platform: "Windows"
authorization: Bearer BQDt6FpbFqEVCgNRjtu3UnKxmV8cCKKXs0NWL5iKsbiWDxNTHVDVhU7PwBd9qNze6PleXepblh6qDmcW7K5AFr-TLJStVgYJXQ0OGmQMedY6TIpqoXlFPyrZEzcE_rY5GoSx219aGKPS5sUHSLEtdgH5S3HrvUFIYqHwg3Y6XVPSRTMXK-iYFevfE46ODT0-_YU3WRt-jzOvjDZ6fFZfmHjEYVfhHeO1ISK6H3jKEMpxRM_HvVPLoIHqrL9DdIhRWg7EJgL2jqzieeGbmlQi1WdspQtJxNoh9n-T-RizE5ILyjPfntwz1gEPvC1XTF4ShwdycNM7GVg4nILSEbn1U-VUnA-wtytM931JTfu03bapvGHCmROyR3DYQg
accept-language: en
sec-ch-ua: "Microsoft Edge";v="143", "Chromium";v="143", "Not A(Brand";v="24"
client-token: AAC5bpuCIla99vScnSAsPGJZEKYseiEnBKOTk/KJfZC691VTfRH7BsqBeDRg0hqf2y/+MpyWOVJp0jquh3VwVYLPhg7Ezye2J5jGn+jPCXY0ThCxAgzM125VmBpPwN4Hg+wmhNEiLEge9zLcbc2z8L62bLzcUaw/KzONqEf3Y2sEiq1tEQB0iH2Id5/4uH1Lz/ygLg7BQnLVdDQ05s6Id+F0oxOT6LcKIkA6cnGP1Ws3fWLZPSIVpazbf0yRZkJwe3t8dgU1I7Ep84wtyImCWUkYIFB3vk9eWN/uOJdY31rlawha59lKJsD+ywVuDvYKYv/X6cJLz7aI0ZYvZx1zA9ncpz0qVWxr
spotify-app-version: 1.2.80.333.g6d8aabfd
sec-ch-ua-mobile: ?0
app-platform: WebPlayer
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0
accept: application/json
content-type: application/json;charset=UTF-8
Origin: https://open.spotify.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://open.spotify.com/
Accept-Encoding: gzip, deflate, br, zstd

{
  "variables": {},
  "operationName": "accountAttributes",
  "extensions": {
    "persistedQuery": {
      "version": 1,
      "sha256Hash": "24aaa3057b69fa91492de26841ad199bd0b330ca95817b7a4d6715150de01827"
    }
  }
}

HTTP/1.1 200 OK
content-type: application/json
cache-control: private, max-age=0
x-robots-tag: noindex, nofollow
access-control-allow-origin: https://open.spotify.com
content-encoding: gzip
server-timing: edge;dur=19
strict-transport-security: max-age=31536000
x-content-type-options: nosniff
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
access-control-allow-credentials: true
date: Thu, 25 Dec 2025 04:05:05 GMT
server: envoy
via: HTTP/2 edgeproxy, 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Transfer-Encoding: chunked

{
  "data": {
    "me": {
      "account": {
        "attributes": {
          "ads": false,
          "ageAssuranceAccountWarningTimestamp": null,
          "ageAssuranceEnabledAccountSettings": false,
          "ageAssuranceState": "UNSET",
          "catalogue": "premium",
          "dsaModeAvailable": false,
          "dsaModeEnabled": false,
          "estimatedAge": 33,
          "filterExplicitContent": false,
          "multiUserPlanCurrentSize": null,
          "multiUserPlanMemberType": null,
          "onDemand": true,
          "optInTrialPremiumOnlyMarket": false,
          "shouldAssureAgeContentPlayback": false,
          "shouldAssureAgeSocial": false
        },
        "country": "US",
        "product": "PREMIUM"
      }
    }
  }
}

<!-- gh-comment-id:3690863534 --> @tomballgithub commented on GitHub (Dec 25, 2025): I have been looking at the requests and responses of the web interface and python code using 'Proxyman'. Here are a sample good requests and responses associated with the URLs @Thereallo1026 shared above. All of these were using the web interface. Additionally, comparing the TOTP between the spotify web interface and the python code, the generated TOTP's are definitely different. Not a surprise, but I wanted to mention & confirm it. https://clienttoken.spotify.com/v1/clienttoken ``` POST /v1/clienttoken HTTP/1.1 Host: clienttoken.spotify.com Connection: keep-alive Content-Length: 280 sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0 accept: application/json sec-ch-ua: "Microsoft Edge";v="143", "Chromium";v="143", "Not A(Brand";v="24" content-type: application/json sec-ch-ua-mobile: ?0 Origin: https://open.spotify.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://open.spotify.com/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 { "client_data": { "client_version": "1.2.80.333.g6d8aabfd", "client_id": "d8a5ed958d274c2e8ee717e6a4b0971d", "js_sdk_data": { "device_brand": "unknown", "device_model": "unknown", "os": "windows", "os_version": "NT 10.0", "device_id": "f84c52d20acf6d2d5c9baa0fea01837e", "device_type": "computer" } } } ``` ``` HTTP/1.1 200 OK content-type: application/json cache-control: private, max-age=0 content-encoding: gzip strict-transport-security: max-age=31536000 x-content-type-options: nosniff alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 access-control-allow-origin: https://open.spotify.com date: Thu, 25 Dec 2025 04:18:13 GMT server: envoy via: HTTP/2 edgeproxy, 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Transfer-Encoding: chunked { "response_type": "RESPONSE_GRANTED_TOKEN_RESPONSE", "granted_token": { "token": "AAAbzigQcp43qxY1ZBzhYSY1ZaqEIyVWneH5wbVOMOPInXTuqRtTeDXv/EjNOYlnRkiCAZ3k/d9xEd2H5pFB2yiGSwuR/IaiTMHSK8zELrMSNJ9BCK01iZOA025hoXL6y5UmXByWFtdJKWjxNhLgQ7XizJXuzkAnTzNZkh7Ib/uc26Hmyd12GutMeivRF7fv55NLbjkfxbsmIxZNwM5Q2SBxzxJivETiAhxsXX9v2DvaWDlfCdm81TG522lK/TQSIf2Yd+DAVH/gCA9Z0yOuRMqxzEh7nutZGT6Trm554PAYXlvsYbZLzWsDOyMjI4FH56TZR1OtZZBHIDUZVxpiqWvZbBnuMA==", "expires_after_seconds": 1216800, "refresh_after_seconds": 1209600, "domains": [ { "domain": "spotify.com" }, { "domain": "spotify.net" } ] } } ``` With the web interface, I am seeing requests to https://open.spotify.com/api/token?reason=init to get the token. This is where I am seeing a TOTP that doesn't match the python code when generated at the same time. For example: ``` GET /api/token?reason=init&productType=web-player&totp=830346&totpServer=830346&totpVer=61 HTTP/1.1 Host: open.spotify.com Connection: keep-alive sentry-trace: ec4eb541a6b9408ca848e6332ca4e8cb-a0528d8a1c235a1b-0 sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0 sec-ch-ua: "Microsoft Edge";v="143", "Chromium";v="143", "Not A(Brand";v="24" sec-ch-ua-mobile: ?0 baggage: sentry-environment=production,sentry-release=open-server_2025-12-25_1766630402614_6d8aabf,sentry-public_key=de32132fc06e4b28965ecf25332c3a25,sentry-trace_id=ec4eb541a6b9408ca848e6332ca4e8cb,sentry-org_id=22381,sentry-sampled=false,sentry-sample_rand=0.7571096004420138,sentry-sample_rate=0.008 Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://open.spotify.com/?flow_ctx=5483b6cc-01eb-4ead-977f-bda39abef4bf%3A1766657092 Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 Cookie: sp_t=f84c52d20acf6d2d5c9baa0fea01837e; sp_m=us; sp_adid=3ba3f1c6-9799-4709-bfb9-ebf1c8050582; _hjSessionUser_5038406=eyJpZCI6IjZhZGI1NjQyLTZmYTUtNWJjZC1iMTUxLWI4ZTMxNzA4Mzc0YSIsImNyZWF0ZWQiOjE3NjUwNDcyMDkxMTIsImV4aXN0aW5nIjp0cnVlfQ==; sp_gaid=0088fcb7caa24dea471f240bd9ab8a86b6baba5255a834f7715fc6; _gid=GA1.2.236960025.1766612821; _ga=GA1.1.261897654.1747616580; _ga_BMC5VGR8YS=GS2.2.s1766612821$o7$g0$t1766612821$j60$l0$h0; _ga_LJDH9SQRHZ=GS2.1.s1766612820$o7$g1$t1766612847$j33$l0$h0; _ga_ZWRF3NLZJZ=GS2.1.s1766610650$o21$g1$t1766613124$j51$l0$h0; sp_landing=https%3A%2F%2Fopen.spotify.com%2Ftrack%2F1rUWJ63uulmHgHwea5OeqB; sp_dc=AQAdxtRwnE8ncl8WKP0Jqz32H7_Yj6Nhr5G9Bdo6kgpg2fDd6eTbyCTWfeYOwj-yeHGhZf9Qqious_3XE5ddzmrX-CpyIP-tR8g65WCLFx-NF0yDIRBj4dCUrqTwhrEMrxgpGu1_6U76Wm08Bhw_otoVtMuAJ_-9hmcpBi0n_CMkHIRMn34sfyPOLmC_vmcNA6aXGLkhxtAFS98aZ8I; sp_key=2b3b5227-ed7d-4e10-9ea8-a133f42069b1; OptanonConsent=isGpcEnabled=0&datestamp=Wed+Dec+24+2025+22%3A16%3A49+GMT-0600+(Central+Standard+Time)&version=202411.2.0&browserGpcFlag=0&isIABGlobal=false&hosts=&landingPath=NotLandingPage&groups=t00%3A1%2Ci00%3A1%2Cs00%3A1%2Cf00%3A1%2Cm00%3A1%2Cf11%3A1%2CBG169%3A1%2CBG170%3A1&AwaitingReconsent=false ``` ``` HTTP/1.1 200 OK Connection: keep-alive server: envoy x-content-type-options: nosniff content-encoding: gzip via: HTTP/1.1 fringe, HTTP/2 edgeproxy, 1.1 google, 1.1 varnish content-type: application/json; charset=utf-8 strict-transport-security: max-age=31536000 x-envoy-upstream-service-time: 174 Accept-Ranges: bytes Date: Thu, 25 Dec 2025 04:17:44 GMT X-Served-By: cache-iah17283-IAH, cache-iah1720094-IAH X-Cache: MISS, MISS X-Cache-Hits: 0, 0 X-Timer: S1766636264.761516,VS0,VE250 Vary: Accept-Encoding transfer-encoding: chunked { "clientId": "d8a5ed958d274c2e8ee717e6a4b0971d", "accessToken": "BQDt6FpbFqEVCgNRjtu3UnKxmV8cCKKXs0NWL5iKsbiWDxNTHVDVhU7PwBd9qNze6PleXepblh6qDmcW7K5AFr-TLJStVgYJXQ0OGmQMedY6TIpqoXlFPyrZEzcE_rY5GoSx219aGKPS5sUHSLEtdgH5S3HrvUFIYqHwg3Y6XVPSRTMXK-iYFevfE46ODT0-_YU3WRt-jzOvjDZ6fFZfmHjEYVfhHeO1ISK6H3jKEMpxRM_HvVPLoIHqrL9DdIhRWg7EJgL2jqzieeGbmlQi1WdspQtJxNoh9n-T-RizE5ILyjPfntwz1gEPvC1XTF4ShwdycNM7GVg4nILSEbn1U-VUnA-wtytM931JTfu03bapvGHCmROyR3DYQg", "accessTokenExpirationTimestampMs": 1766638804772, "isAnonymous": false, "_notes": "Usage of this endpoint is not permitted under the Spotify Developer Terms and Developer Policy, and applicable law" } ``` For time, I am seeing https://guc3-spclient.spotify.com/melody/v1/time with the Spotify web browser version: ``` GET /melody/v1/time HTTP/1.1 Host: guc3-spclient.spotify.com Connection: keep-alive sec-ch-ua-platform: "Windows" authorization: Bearer BQDt6FpbFqEVCgNRjtu3UnKxmV8cCKKXs0NWL5iKsbiWDxNTHVDVhU7PwBd9qNze6PleXepblh6qDmcW7K5AFr-TLJStVgYJXQ0OGmQMedY6TIpqoXlFPyrZEzcE_rY5GoSx219aGKPS5sUHSLEtdgH5S3HrvUFIYqHwg3Y6XVPSRTMXK-iYFevfE46ODT0-_YU3WRt-jzOvjDZ6fFZfmHjEYVfhHeO1ISK6H3jKEMpxRM_HvVPLoIHqrL9DdIhRWg7EJgL2jqzieeGbmlQi1WdspQtJxNoh9n-T-RizE5ILyjPfntwz1gEPvC1XTF4ShwdycNM7GVg4nILSEbn1U-VUnA-wtytM931JTfu03bapvGHCmROyR3DYQg client-token: AAAbzigQcp43qxY1ZBzhYSY1ZaqEIyVWneH5wbVOMOPInXTuqRtTeDXv/EjNOYlnRkiCAZ3k/d9xEd2H5pFB2yiGSwuR/IaiTMHSK8zELrMSNJ9BCK01iZOA025hoXL6y5UmXByWFtdJKWjxNhLgQ7XizJXuzkAnTzNZkh7Ib/uc26Hmyd12GutMeivRF7fv55NLbjkfxbsmIxZNwM5Q2SBxzxJivETiAhxsXX9v2DvaWDlfCdm81TG522lK/TQSIf2Yd+DAVH/gCA9Z0yOuRMqxzEh7nutZGT6Trm554PAYXlvsYbZLzWsDOyMjI4FH56TZR1OtZZBHIDUZVxpiqWvZbBnuMA== sec-ch-ua: "Microsoft Edge";v="143", "Chromium";v="143", "Not A(Brand";v="24" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0 sec-ch-ua-mobile: ?0 Accept: */* Origin: https://open.spotify.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://open.spotify.com/ Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9 ``` ``` HTTP/1.1 200 OK content-type: application/json cache-control: private, max-age=0 access-control-allow-origin: https://open.spotify.com access-control-allow-headers: Accept, App-Platform, Authorization, client-token, content-access-token, Content-Type, Origin, Retry-After, SPA-Preferred-Publisher, Spotify-App, Spotify-App-Version, spotify-org-uri, X-ClientAttribute-Version, X-Client-Id, x-cloud-trace-context, X-Cloud-Trace-Context, X-Geo-Country, X-Installation-Id, x-permission-grant-token, X-Spotify-Additional-Idp, X-Spotify-Connection-Id, X-Spotify-Quicksilver-Uri, x-twitch-jwt access-control-allow-methods: POST, GET, OPTIONS, PUT, HEAD, DELETE, PATCH access-control-allow-credentials: true access-control-max-age: 604800 Content-Length: 27 server-timing: edge;dur=1 strict-transport-security: max-age=31536000 x-content-type-options: nosniff alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 date: Thu, 25 Dec 2025 04:18:19 GMT server: envoy via: HTTP/2 edgeproxy, 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 { "timestamp": 1766636299837 } ``` For time, if I manually do a request to https://open.spotify.com/api/server-time: ``` GET /api/server-time HTTP/1.1 Host: open.spotify.com Connection: close ``` ``` HTTP/1.1 200 OK Connection: close Content-Length: 25 strict-transport-security: max-age=31536000 set-cookie: sp_t=194e171c-b64a-4b3f-92f1-ab5f5f557c71; Path=/; Domain=.spotify.com; Max-Age=31536000; Expires=Fri, 25 Dec 2026 19:57:17 GMT; Secure set-cookie: sp_new=1; Path=/; Domain=.spotify.com; Max-Age=86400; Expires=Fri, 26 Dec 2025 19:57:17 GMT; Secure set-cookie: sp_landing=https%3A%2F%2Fopen.spotify.com%2Fapi%2Fserver-time; Path=/; Domain=.spotify.com; Max-Age=86400; Expires=Fri, 26 Dec 2025 19:57:17 GMT; Secure; HttpOnly content-type: application/json; charset=utf-8 via: HTTP/1.1 fringe, HTTP/2 edgeproxy, 1.1 google, 1.1 varnish x-envoy-upstream-service-time: 3 x-content-type-options: nosniff server: envoy Accept-Ranges: bytes Date: Thu, 25 Dec 2025 19:57:17 GMT X-Served-By: cache-iah1720142-IAH, cache-iah17264-IAH X-Cache: MISS, MISS X-Cache-Hits: 0, 0 X-Timer: S1766692637.075749,VS0,VE73 Vary: Accept-Encoding { "serverTime": 1766692637 } ``` https://api-partner.spotify.com/pathfinder/v2/query: ``` POST /pathfinder/v2/query HTTP/1.1 Host: api-partner.spotify.com Connection: keep-alive Content-Length: 178 sec-ch-ua-platform: "Windows" authorization: Bearer BQDt6FpbFqEVCgNRjtu3UnKxmV8cCKKXs0NWL5iKsbiWDxNTHVDVhU7PwBd9qNze6PleXepblh6qDmcW7K5AFr-TLJStVgYJXQ0OGmQMedY6TIpqoXlFPyrZEzcE_rY5GoSx219aGKPS5sUHSLEtdgH5S3HrvUFIYqHwg3Y6XVPSRTMXK-iYFevfE46ODT0-_YU3WRt-jzOvjDZ6fFZfmHjEYVfhHeO1ISK6H3jKEMpxRM_HvVPLoIHqrL9DdIhRWg7EJgL2jqzieeGbmlQi1WdspQtJxNoh9n-T-RizE5ILyjPfntwz1gEPvC1XTF4ShwdycNM7GVg4nILSEbn1U-VUnA-wtytM931JTfu03bapvGHCmROyR3DYQg accept-language: en sec-ch-ua: "Microsoft Edge";v="143", "Chromium";v="143", "Not A(Brand";v="24" client-token: AAC5bpuCIla99vScnSAsPGJZEKYseiEnBKOTk/KJfZC691VTfRH7BsqBeDRg0hqf2y/+MpyWOVJp0jquh3VwVYLPhg7Ezye2J5jGn+jPCXY0ThCxAgzM125VmBpPwN4Hg+wmhNEiLEge9zLcbc2z8L62bLzcUaw/KzONqEf3Y2sEiq1tEQB0iH2Id5/4uH1Lz/ygLg7BQnLVdDQ05s6Id+F0oxOT6LcKIkA6cnGP1Ws3fWLZPSIVpazbf0yRZkJwe3t8dgU1I7Ep84wtyImCWUkYIFB3vk9eWN/uOJdY31rlawha59lKJsD+ywVuDvYKYv/X6cJLz7aI0ZYvZx1zA9ncpz0qVWxr spotify-app-version: 1.2.80.333.g6d8aabfd sec-ch-ua-mobile: ?0 app-platform: WebPlayer User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0 accept: application/json content-type: application/json;charset=UTF-8 Origin: https://open.spotify.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://open.spotify.com/ Accept-Encoding: gzip, deflate, br, zstd { "variables": {}, "operationName": "accountAttributes", "extensions": { "persistedQuery": { "version": 1, "sha256Hash": "24aaa3057b69fa91492de26841ad199bd0b330ca95817b7a4d6715150de01827" } } } ``` ``` HTTP/1.1 200 OK content-type: application/json cache-control: private, max-age=0 x-robots-tag: noindex, nofollow access-control-allow-origin: https://open.spotify.com content-encoding: gzip server-timing: edge;dur=19 strict-transport-security: max-age=31536000 x-content-type-options: nosniff alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 access-control-allow-credentials: true date: Thu, 25 Dec 2025 04:05:05 GMT server: envoy via: HTTP/2 edgeproxy, 1.1 google Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Transfer-Encoding: chunked { "data": { "me": { "account": { "attributes": { "ads": false, "ageAssuranceAccountWarningTimestamp": null, "ageAssuranceEnabledAccountSettings": false, "ageAssuranceState": "UNSET", "catalogue": "premium", "dsaModeAvailable": false, "dsaModeEnabled": false, "estimatedAge": 33, "filterExplicitContent": false, "multiUserPlanCurrentSize": null, "multiUserPlanMemberType": null, "onDemand": true, "optInTrialPremiumOnlyMarket": false, "shouldAssureAgeContentPlayback": false, "shouldAssureAgeSocial": false }, "country": "US", "product": "PREMIUM" } } } } ```

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@0xXiHan commented on GitHub (Dec 25, 2025):

Hey bro, I think I've solved my problem. I made the check_token_validity function return True directly, and I can determine the availability of sp_dc through some downstream interfaces.

<!-- gh-comment-id:3691082945 --> @0xXiHan commented on GitHub (Dec 25, 2025): Hey bro, I think I've solved my problem. I made the check_token_validity function return True directly, and I can determine the availability of sp_dc through some downstream interfaces.

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 25, 2025):

I verified that all three URLs return the same thing for 'Date'. The first requires auth headers; in its absence, it still returns 'Date' but not 'timestamp'. You can see 'timestamp' or 'serverTime' returned in my examples above, and I verified that both match the associated 'Date'.

All this to say, if TOTP is incorrect, it shouldn't be because the date URLs have changed.

- https://gae2-spclient.spotify.com/melody/v1/time (Requires auth headers)
- https://open.spotify.com/api/server-time
- https://open.spotify.com/

<!-- gh-comment-id:3691707904 --> @tomballgithub commented on GitHub (Dec 25, 2025): I verified that all three URLs return the same thing for 'Date'. The first requires auth headers; in its absence, it still returns 'Date' but not 'timestamp'. You can see 'timestamp' or 'serverTime' returned in my examples above, and I verified that both match the associated 'Date'. All this to say, if TOTP is incorrect, it shouldn't be because the date URLs have changed. ``` - https://gae2-spclient.spotify.com/melody/v1/time (Requires auth headers) - https://open.spotify.com/api/server-time - https://open.spotify.com/ ```

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 25, 2025):

At Thu, 25 Dec 2025 04:17:48 GMT, I see the time fetched and then a subsequent GET from https://open.spotify.com/api/token?reason=init&productType=web-player&totp=830346&totpServer=830346&totpVer=61.

If I force the time to Thu, 25 Dec 2025 04:17:48 GMT in fetch_server_time(), it generates 830346 for otp_value, which is the expected value.

So TOTP calculations still looks OK with '61'

<!-- gh-comment-id:3691734859 --> @tomballgithub commented on GitHub (Dec 25, 2025): At Thu, 25 Dec 2025 04:17:48 GMT, I see the time fetched and then a subsequent GET from https://open.spotify.com/api/token?reason=init&productType=web-player&totp=830346&totpServer=830346&totpVer=61. If I force the time to Thu, 25 Dec 2025 04:17:48 GMT in fetch_server_time(), it generates 830346 for otp_value, which is the expected value. So TOTP calculations still looks OK with '61'

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 25, 2025):

Is there a bug in the code here? TOTP_VER is sent as a parameter in the URL, but the default is '0' for autodetect, which works correctly in the code for TOTP generation, but TOTP_VER never changes from '0'.

    params = {
        "reason": "transport",
        "productType": "web-player",
        "totp": otp_value,
        "totpServer": otp_value,
        "totpVer": TOTP_VER,
    }

I am seeing the script with totpVer = 0 in the URL rather than 61
https://open.spotify.com/api/token?reason=init&productType=web-player&totp=108902&totpServer=108902&totpVer=0

<!-- gh-comment-id:3691738146 --> @tomballgithub commented on GitHub (Dec 25, 2025): Is there a bug in the code here? TOTP_VER is sent as a parameter in the URL, but the default is '0' for autodetect, which works correctly in the code for TOTP generation, but TOTP_VER never changes from '0'. ``` params = { "reason": "transport", "productType": "web-player", "totp": otp_value, "totpServer": otp_value, "totpVer": TOTP_VER, } ``` I am seeing the script with totpVer = 0 in the URL rather than 61 https://open.spotify.com/api/token?reason=init&productType=web-player&totp=108902&totpServer=108902&totpVer=0

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 26, 2025):

I have code working that gets the 'Authorization' token and the 'client-token'

I can access these endpoints (only two I've tried):
https://guc3-spclient.spotify.com/presence-view/v1/buddylist
https://guc3-spclient.spotify.com/melody/v1/time

But https://api.spotify.com/v1/me gives me a 429 (previously I said it was a 404, but I had a url error)

I don't see the web client or the Windows client using this endpoint, so I have nothing to compare the requests to.

<!-- gh-comment-id:3691861086 --> @tomballgithub commented on GitHub (Dec 26, 2025): I have code working that gets the 'Authorization' token and the 'client-token' _I can access these endpoints (only two I've tried):_ https://guc3-spclient.spotify.com/presence-view/v1/buddylist https://guc3-spclient.spotify.com/melody/v1/time But https://api.spotify.com/v1/me gives me a 429 (previously I said it was a 404, but I had a url error) I don't see the web client or the Windows client using this endpoint, so I have nothing to compare the requests to.

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@misiektoja commented on GitHub (Dec 26, 2025):

Wow, that is very good news! We don't really need /v1/me for anything crucial. It was used in the check_token_validity() function (we can use the /v1/buddylist endpoint instead) and in spotify_get_current_user() to get info about the token owner (it was for informational purposes only and not really needed for any core functionality, so we can remove it).

Will you make a PR for that ?

<!-- gh-comment-id:3691872322 --> @misiektoja commented on GitHub (Dec 26, 2025): Wow, that is very good news! We don't really need /v1/me for anything crucial. It was used in the `check_token_validity()` function (we can use the /v1/buddylist endpoint instead) and in `spotify_get_current_user()` to get info about the token owner (it was for informational purposes only and not really needed for any core functionality, so we can remove it). Will you make a PR for that ?

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 26, 2025):

@misiektoja It's nowhere close to a PR, I just got it up to being able to pass the check_token_validity. I don't understand all of the different refreshes and such that you have going on. At a minimum, I'll send you my code tonight over email.

<!-- gh-comment-id:3691899414 --> @tomballgithub commented on GitHub (Dec 26, 2025): @misiektoja It's nowhere close to a PR, I just got it up to being able to pass the check_token_validity. I don't understand all of the different refreshes and such that you have going on. At a minimum, I'll send you my code tonight over email.

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@0xXiHan commented on GitHub (Dec 26, 2025):

The previous status code 400 occurred because it hadn't reached /v1/me yet and was still retrying to obtain the token. The check_token_validity function was being ignored. Currently, it appears that TOTP acquisition is working fine, but the official service seems to have implemented risk control measures on the /v1/me endpoint.

<!-- gh-comment-id:3691906090 --> @0xXiHan commented on GitHub (Dec 26, 2025): The previous status code 400 occurred because it hadn't reached /v1/me yet and was still retrying to obtain the token. The check_token_validity function was being ignored. Currently, it appears that TOTP acquisition is working fine, but the official service seems to have implemented risk control measures on the /v1/me endpoint.

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 26, 2025):

Well, I've cleaned it up a lot, but noticed something else:

spotify_get_friends_json, works: https://guc-spclient.spotify.com/presence-view/v1/buddylist
spotify_get_track_info, gives 429: https://api.spotify.com/v1/tracks/

I wonder if they are blocking https://api.spotify.com/v1/ or moved it? Or it could just be that my headers/auth need to be different for get_track_info requests.

<!-- gh-comment-id:3691957631 --> @tomballgithub commented on GitHub (Dec 26, 2025): Well, I've cleaned it up a lot, but noticed something else: spotify_get_friends_json, works: https://guc-spclient.spotify.com/presence-view/v1/buddylist spotify_get_track_info, gives 429: https://api.spotify.com/v1/tracks/ I wonder if they are blocking https://api.spotify.com/v1/ or moved it? Or it could just be that my headers/auth need to be different for get_track_info requests.

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@misiektoja commented on GitHub (Dec 26, 2025):

Hey guys, thanks to your findings I got the code fully working in both cookie and client modes!

You made me realize we need a hybrid approach. It turned out some calls still work without changes (like /v1/buddylist), but for others (like /v1/tracks or /v1/playlists) the official client credentials flow is required (oauth_app).

So I backported some code from spotify_profile_monitor and confirmed it works. Now it will require setting up two authentication modes: cookie/client and oauth_app. We need two different authentication methods because neither provides access to all API endpoints.

Let me clean up the code and I will push it to dev in a couple of minutes.

<!-- gh-comment-id:3691961905 --> @misiektoja commented on GitHub (Dec 26, 2025): Hey guys, thanks to your findings I got the code fully working in both cookie and client modes! You made me realize we need a hybrid approach. It turned out some calls still work without changes (like /v1/buddylist), but for others (like /v1/tracks or /v1/playlists) the official client credentials flow is required (oauth_app). So I backported some code from spotify_profile_monitor and confirmed it works. Now it will require setting up two authentication modes: cookie/client and oauth_app. We need two different authentication methods because neither provides access to all API endpoints. Let me clean up the code and I will push it to dev in a couple of minutes.

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 26, 2025):

Yep, I see the same thing with /v1/playlists.

I spent way too much time on this today, but I do feel like getting it to work was a nice accomplishment for myself

<!-- gh-comment-id:3691963723 --> @tomballgithub commented on GitHub (Dec 26, 2025): Yep, I see the same thing with /v1/playlists. I spent way too much time on this today, but I do feel like getting it to work was a nice accomplishment for myself

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 26, 2025):

Happy you got it working. Merry Xmas!

<!-- gh-comment-id:3691964626 --> @tomballgithub commented on GitHub (Dec 26, 2025): Happy you got it working. Merry Xmas!

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@misiektoja commented on GitHub (Dec 26, 2025):

I spent way too much time on this today, but I do feel like getting it to work was a nice accomplishment for myself

Great work! It made fixing it an easy-peasy task! Merry Christmas to you as well!

<!-- gh-comment-id:3691968160 --> @misiektoja commented on GitHub (Dec 26, 2025): > I spent way too much time on this today, but I do feel like getting it to work was a nice accomplishment for myself Great work! It made fixing it an easy-peasy task! Merry Christmas to you as well!

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 26, 2025):

Not sure if this was always the case, but this was mentioned above:

interface JsSdkData {
  device_brand: string;
  device_model: string;
  os: string;
  os_version: string;
  device_id: string;
  device_type: string;
}

I did notice device_id being passed in the requests, and that it seems to match the web browser cookie SP_T. I'm not sure if there is some way to get this besides manually entering it like SP_DC

It does work without it, but this could be a telltale sign of a script if it's missing.

<!-- gh-comment-id:3691972239 --> @tomballgithub commented on GitHub (Dec 26, 2025): Not sure if this was always the case, but this was mentioned above: ``` interface JsSdkData { device_brand: string; device_model: string; os: string; os_version: string; device_id: string; device_type: string; } ``` I did notice device_id being passed in the requests, and that it seems to match the web browser cookie SP_T. I'm not sure if there is some way to get this besides manually entering it like SP_DC It does work without it, but this could be a telltale sign of a script if it's missing.

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@tomballgithub commented on GitHub (Dec 26, 2025):

Did you see my comment above about ->

I am seeing the script with totpVer = 0 in the URL rather than 61
https://open.spotify.com/api/token?reason=init&productType=web-player&totp=108902&totpServer=108902&totpVer=0

<!-- gh-comment-id:3691976777 --> @tomballgithub commented on GitHub (Dec 26, 2025): Did you see my comment above about -> I am seeing the script with totpVer = 0 in the URL rather than 61 https://open.spotify.com/api/token?reason=init&productType=web-player&totp=108902&totpServer=108902&totpVer=0

kerem commented 2026-02-27 20:07:43 +03:00

Author

Owner

Copy link

@misiektoja commented on GitHub (Dec 26, 2025):

Pushed, please test and let me know if you notice any issues! I'll look into other stuff you reported hopefully tomorrow!

<!-- gh-comment-id:3691988452 --> @misiektoja commented on GitHub (Dec 26, 2025): Pushed, please test and let me know if you notice any issues! I'll look into other stuff you reported hopefully tomorrow!

kerem referenced this issue 2026-02-27 20:07:48 +03:00

[PR #18] [MERGED] Fix truncation code to handle emojis with a actual width greater than one character. Example: 🎧 #30

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

totp_fix_2026

dev

v2.9.1

v2.9

v2.8

v2.7

v2.6

v2.5

v2.4

v2.3.1

v2.3

v2.2.1

v2.2

v2.1.2

v2.1.1

v2.1

v2.0

v1.9

v1.8.1

v1.8

v1.7

v1.6

v1.5

v1.4

v1.3

v1.2

v1.1

v1.0

Labels

Clear labels   

Stale

  

bug

  

pull-request

Mirrored from GitHub Pull Request

No labels

Stale

bug

pull-request

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/spotify_monitor#18

No description provided.