**Note:** I would recommend a little PHP Script, which will exchange the Keys using AutorizationCodeAuth.
When using ImplicitGrantAuth, another user could abuse the "localhost" RedirectUri by creating a "fake"-app which uses your ClientId.
Overview:
![Overview](http://i.imgur.com/uf3ahTl.png)
After implementing one of the provided auth-methods, you can start doing requests with the token you get from one of the auth-methods
##ImplicitGrantAuth
This way is **recommended** and the only auth-process, which does not need a server-side exchange of keys. With this approach, you directly get a Token object after the user authed your application.
You won't be able to refresh the token. If you want to use the internal Http server, please add "http://localhost" to your application redirects.
More info: [here](https://developer.spotify.com/web-api/authorization-guide/#implicit_grant_flow)
For this kind of authentication, there is also a `WebAPIFactory`, it's easier to use and uses an async method:
```
static async void Main(string[] args)
{
WebAPIFactory webApiFactory = new WebAPIFactory(
"http://localhost",
8000,
"XXXXXXXXXXXXXXXX",
Scope.UserReadPrivate,
TimeSpan.FromSeconds(20)
);
try
{
//This will open the user's browser and returns once
//the user is authorized.
_spotify = await webApiFactory.GetWebApi();
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
if (_spotify == null)
return;
}
```
The old way:
```
static ImplicitGrantAuth auth;
static void Main(string[] args)
{
//Create the auth object
auth = new ImplicitGrantAuth()
{
//Your client Id
ClientId = "XXXXXXXXXXXXXXXX",
//Set this to localhost if you want to use the built-in HTTP Server
This way is **not recommended** and requires server-side code to run securely.
With this approach, you make a POST Request with a base64 encoded string (consists of ClientId + ClientSecret). You will directly get the token (Without a local HTTP Server), but it will expire and can't be refreshed.
If you want to use it securely, you would need to do it all server-side.
**NOTE:** You will only be able to query non-user-related information e.g search for a Track.
More info: [here](https://developer.spotify.com/web-api/authorization-guide/#client_credentials_flow)