[GH-ISSUE #1048] Using Spotipy in Django Application - access_token is the same for all the users, even with different Spotify accounts. #623

New issue

Closed

opened 2026-02-28 00:00:21 +03:00 by kerem · 2 comments

kerem commented

2026-02-28 00:00:21 +03:00

Owner

Originally created by @Rafael-Rueda on GitHub (Dec 2, 2023).
Original GitHub issue: https://github.com/spotipy-dev/spotipy/issues/1048

So, to begin, I have this view which leads me to the beggining of my Spotipy authentication proccess:

from django.conf import settings
from django.shortcuts import redirect, render
from spotipy import Spotify
from spotipy.oauth2 import SpotifyOAuth

def spotify_auth(request):
    if 'token_info' in request.session:
        del request.session['token_info']

    sp_oauth = SpotifyOAuth(
        settings.SPOTIFY_CLIENT_ID,
        settings.SPOTIFY_CLIENT_SECRET,
        settings.SPOTIFY_REDIRECT_URI,
        scope="user-library-read user-top-read user-read-playback-state user-read-recently-played",
    )
    
    auth_url = sp_oauth.get_authorize_url()
    return redirect(auth_url)

With this, I get a code as a query string in my URL, which is used to receive my access_token to Spotify API.
Here is how I use this code to get my access_token:

Note: My SPOTIFY_REDIRECT_URI leads to this view (rooms), which renders a template.

def rooms(request):

    if 'code' in request.GET:
        sp_oauth_token = SpotifyOAuth(
            settings.SPOTIFY_CLIENT_ID,
            settings.SPOTIFY_CLIENT_SECRET,
            settings.SPOTIFY_REDIRECT_URI,
            scope="user-library-read user-top-read user-read-playback-state user-read-recently-played",
        )

        code = request.GET['code']

        token_info = sp_oauth_token.get_access_token(code=code)
        print(token_info['access_token']) # Attention to this print.

        request.session['token_info'] = token_info
        
    # Other logic here...
    return render(request, "my-rooms-template.html")

In my print, I can see the access_token provided by the code, provided by the authorization of the user in the Spotify's website.
However, if I try to change the Spotify Account, opening a new tab in browser, (anonymous), and try to make the same process, i get an identical access_token as before, even with different Spotify accounts. So all the data i would use in my application, would be from a unique Spotify account, which is not what i want.

If someone know why this is happening, i would be very thankful !

Additional:

When I restart all my project from scratch, then, I do the first spotify authentication into my website, (which the spotify user is in the User Management of my Spotify App).
I get as result, the new user information, and a new access token. However, if try to login with a new Spotify user, the token remains the same, and the information is all of my first authenticated user.

I can imagine that there is something like a "cache" of access tokens, or something like that, that i need to clear before making another authentications. I dont know if its real, but any ideas would help me figure out.

Possible Solution:

https://developer.spotify.com/documentation/web-api/tutorials/implicit-flow

Use the implicit flow without Spotipy module. Use requests module instead, to make requests to Spotify API.
This worked for me, but I still want to know the answer, why was I receiving the same access token for different users ?

Originally created by @Rafael-Rueda on GitHub (Dec 2, 2023). Original GitHub issue: https://github.com/spotipy-dev/spotipy/issues/1048 So, to begin, I have this view which leads me to the beggining of my Spotipy authentication proccess: ```py from django.conf import settings from django.shortcuts import redirect, render from spotipy import Spotify from spotipy.oauth2 import SpotifyOAuth def spotify_auth(request): if 'token_info' in request.session: del request.session['token_info'] sp_oauth = SpotifyOAuth( settings.SPOTIFY_CLIENT_ID, settings.SPOTIFY_CLIENT_SECRET, settings.SPOTIFY_REDIRECT_URI, scope="user-library-read user-top-read user-read-playback-state user-read-recently-played", ) auth_url = sp_oauth.get_authorize_url() return redirect(auth_url) ``` With this, I get a code as a query string in my URL, which is used to receive my access_token to Spotify API. Here is how I use this code to get my access_token: * Note: My SPOTIFY_REDIRECT_URI leads to this view (rooms), which renders a template. ```py def rooms(request): if 'code' in request.GET: sp_oauth_token = SpotifyOAuth( settings.SPOTIFY_CLIENT_ID, settings.SPOTIFY_CLIENT_SECRET, settings.SPOTIFY_REDIRECT_URI, scope="user-library-read user-top-read user-read-playback-state user-read-recently-played", ) code = request.GET['code'] token_info = sp_oauth_token.get_access_token(code=code) print(token_info['access_token']) # Attention to this print. request.session['token_info'] = token_info # Other logic here... return render(request, "my-rooms-template.html") ``` In my print, I can see the access_token provided by the code, provided by the authorization of the user in the Spotify's website. However, if I try to change the Spotify Account, opening a new tab in browser, (anonymous), and try to make the same process, i get an identical access_token as before, even with different Spotify accounts. So all the data i would use in my application, would be from a unique Spotify account, which is not what i want. If someone know why this is happening, i would be very thankful ! # Additional: When I restart all my project from scratch, then, I do the first spotify authentication into my website, (which the spotify user is in the User Management of my Spotify App). I get as result, the new user information, and a new access token. However, if try to login with a new Spotify user, the token remains the same, and the information is all of my first authenticated user. I can imagine that there is something like a "cache" of access tokens, or something like that, that i need to clear before making another authentications. I dont know if its real, but any ideas would help me figure out. # Possible Solution: > https://developer.spotify.com/documentation/web-api/tutorials/implicit-flow Use the implicit flow without Spotipy module. Use requests module instead, to make requests to Spotify API. This worked for me, but I still want to know the answer, why was I receiving the same access token for different users ?

kerem

2026-02-28 00:00:21 +03:00

closed this issue
added the
question
label

kerem commented

2026-02-28 00:00:22 +03:00

Author

Owner

@travesties commented on GitHub (Feb 5, 2024):

For anyone who is experiencing this problem, Spotipy does in fact cache access tokens. You can disable this when calling get_access_token by passing in the parameter check_cache=False. Here is the source code in question

@travesties commented on GitHub (Feb 5, 2024): For anyone who is experiencing this problem, Spotipy does in fact cache access tokens. You can disable this when calling `get_access_token` by passing in the parameter `check_cache=False`. [Here is the source code in question](https://github.com/spotipy-dev/spotipy/blob/a14a28e10c1889cce83eec7a7e1ad4b5944a452d/spotipy/oauth2.py#L524)

kerem commented

2026-02-28 00:00:22 +03:00

Author

Owner

@dieser-niko commented on GitHub (Jun 12, 2024):

Hi there, no need to do check_cache=False. You can just use spotipy.cache_handler.DjangoSessionCacheHandler which would bind the token to sessions.

@dieser-niko commented on GitHub (Jun 12, 2024): Hi there, no need to do `check_cache=False`. You can just use `spotipy.cache_handler.DjangoSessionCacheHandler` which would bind the token to sessions.