Spotify authorization code (not access token) is expiring – how can I circumvent this?

I am developing an app that creates a public Spotify playlist for a user who has given proper authorization to do so.

I am using Flask and Python requests library to accomplish this, but after I’ve sent a few consecutive POST requests to get an access token from Spotify (using authorization code obtained from previous logic), it begins to fail. I am referring to Step 4 of Authorization Code Flow from this link: https://developer.spotify.com/web-api/authorization-guide/#authorization_code_flow

I know the authorization code is valid, because it doesn’t fail for the first few times I run the request (maybe 5-10 times).

When I print the response from the POST I get the following: {‘error_description’: ‘Authorization code expired’, ‘error’: ‘invalid_grant’}

I assume I am not using the authorization code fast enough to get an access token (after repeatedly failing on code logic before the access token POST request, I guess?) but how am I supposed to reset and refresh the authorization code so I can keep making requests repeatedly? Any info on how long I am disabled and generally good programming practice to avoid this scenario?

Answer

When you use the authorization code to get your access token, you will also get a refresh token back in the same message. Use that refresh token to request new access tokens, when the access tokens expire.

How to use the refresh token is written on the same page you linked to, just a bit further down: https://developer.spotify.com/web-api/authorization-guide/#request-access-token-from-refresh-token

I agree that this is not the easiest to understand, but there are good reasons for all these things. It is also a standard called OAuth2, which many websites use to let users authorize apps to access their data, so it is useful in a lot of places.

In this specific case: “why do I need a refresh token to get an access token, I already have an authorization code to get an access token?”, it is because the authorization code has leaked to the outside because it was returned to you via the user’s browser.