[GH-ISSUE #1186] Spotify is increasing the security requirements - redirect uri #694

New issue

Closed

opened 2026-02-28 00:00:56 +03:00 by kerem · 0 comments

kerem commented

2026-02-28 00:00:56 +03:00

Owner

Originally created by @sandrzejewskipl on GitHub (Feb 12, 2025).
Original GitHub issue: https://github.com/spotipy-dev/spotipy/issues/1186

from spotify's blog post:

To improve security for our users, Spotify is planning to remove support for two ways of integrating with Spotify that have been replaced with more secure alternatives. This includes deprecating use of the implicit grant as well as removing support for unencrypted HTTP redirect URIs for your client.

All clients created from the 9th of April 2025 will have the new rules enforced automatically. Migration of existing clients to an acceptable state must be made by November 2025.

most important thing is that localhost will no longer be a supported redirect uri so it must be removed from every docs or readme and changed to 127.0.0.1 and maybe there should be a warning when someone will try to use localhost as a redirect uri

also from spotify's blog post:

Any redirect URI using HTTP will stop being supported, except loopback IP address literals such as http://127.0.0.1 for IPv4 and http://[::1] for IPv6. Any invalid redirect URIs will need to be changed. You can check them under your client’s ‘settings’ tab in the developer console.

Redirects using a custom scheme will still be supported, but we recommend developers to use HTTPS redirects where possible. For mobile applications, we recommend using Android App Links and iOS Universal Links where possible.

For example:

http://www.example.com could be migrated to https://www.example.com
http://localhost:3000 could be migrated to http://127.0.0.1:3000
com.example://callback can still be used as before

Originally created by @sandrzejewskipl on GitHub (Feb 12, 2025). Original GitHub issue: https://github.com/spotipy-dev/spotipy/issues/1186 from spotify's [blog post](https://developer.spotify.com/blog/2025-02-12-increasing-the-security-requirements-for-integrating-with-spotify): > To improve security for our users, Spotify is planning to remove support for two ways of integrating with Spotify that have been replaced with more secure alternatives. This includes deprecating use of [the implicit grant](https://developer.spotify.com/documentation/web-api/tutorials/implicit-flow) as well as removing support for unencrypted HTTP redirect URIs for your client. > > All clients created from the 9th of April 2025 will have the new rules enforced automatically. Migration of existing clients to an acceptable state must be made by November 2025. most important thing is that `localhost` will no longer be a supported redirect uri so it must be removed from every docs or readme and changed to `127.0.0.1` and maybe there should be a warning when someone will try to use `localhost` as a redirect uri also from spotify's blog post: > Any redirect URI using HTTP will stop being supported, except loopback IP address literals such as http://127.0.0.1 for IPv4 and http://[::1] for IPv6. Any invalid redirect URIs will need to be changed. You can check them under your client’s ‘settings’ tab in the developer console. > > Redirects using a custom scheme will still be supported, but we recommend developers to use HTTPS redirects where possible. For mobile applications, we recommend using Android App Links and iOS Universal Links where possible. > > For example: > > http://www.example.com could be migrated to https://www.example.com > http://localhost:3000 could be migrated to http://127.0.0.1:3000 > com.example://callback can still be used as before