<titledata-react-helmet="true">Token Swap | SpotifyAPI-NET</title><metadata-react-helmet="true"name="docsearch:version"content="5.1.1"><metadata-react-helmet="true"name="twitter:card"content="summary_large_image"><metadata-react-helmet="true"property="og:title"content="Token Swap | SpotifyAPI-NET"><metadata-react-helmet="true"name="description"content="This way uses server-side code or at least access to an exchange server, otherwise, compared to other"><metadata-react-helmet="true"property="og:description"content="This way uses server-side code or at least access to an exchange server, otherwise, compared to other"><metadata-react-helmet="true"property="og:url"content="https://johnnycrazy.github.io/SpotifyAPI-NET/docs/auth/token_swap"><linkdata-react-helmet="true"rel="shortcut icon"href="/SpotifyAPI-NET/img/favicon.ico"><linkdata-react-helmet="true"rel="canonical"href="https://johnnycrazy.github.io/SpotifyAPI-NET/docs/auth/token_swap"><linkrel="stylesheet"href="/SpotifyAPI-NET/styles.8a053330.css">
methods, it is impossible to use.</p><p>With this approach, you provide the URI/URL to your desired exchange server to perform all necessary
requests to Spotify, as well as requests that return back to the "server URI".</p><p>The exchange server <strong>must</strong> be able to:</p><ul><li>Return the authorization code from Spotify API authenticate page via GET request to the "server URI".</li><li>Request the token response object via POST to the Spotify API token page.</li><li>Request a refreshed token response object via POST to the Spotify API token page.</li></ul><p><strong>The good news is that you do not need to code it yourself.</strong></p><p>The advantages of this method are that the client ID and redirect URI are very well hidden and almost unexposed, but more importantly, your client secret is <strong>never</strong> exposed and is completely hidden compared to other methods (excluding <ahref="/SpotifyWebAPI/auth#implicitgrantauth">ImplicitGrantAuth</a>
as it does not deal with a client secret). This means
your Spotify app <strong>cannot</strong> be spoofed by a malicious third party.</p><h2><aaria-hidden="true"tabindex="-1"class="anchor enhancedAnchor_ZqCz"id="using-tokenswapwebapifactory"></a>Using TokenSwapWebAPIFactory<aaria-hidden="true"tabindex="-1"class="hash-link"href="#using-tokenswapwebapifactory"title="Direct link to heading">#</a></h2><p>The TokenSwapWebAPIFactory will create and configure a SpotifyWebAPI object for you.</p><p>It does this through the method GetWebApiAsync <strong>asynchronously</strong>, which means it will not halt execution of your program while obtaining it for you. If you would like to halt execution, which is <strong>synchronous</strong>, use <code>GetWebApiAsync().Result</code> without using <strong>await</strong>.</p><divclass="mdxCodeBlock_iHAB"><divclass="codeBlockContent_32p_"><buttontype="button"aria-label="Copy code to clipboard"class="copyButton_1BYj">Copy</button><divtabindex="0"class="prism-code language-csharp codeBlock_19pQ"><divclass="codeBlockLines_2n9r"style="color:#bfc7d5;background-color:#292d3e"><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">TokenSwapWebAPIFactory webApiFactory;</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">SpotifyWebAPI spotify;</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"style="display:inline-block">
</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">// You should store a reference to WebAPIFactory if you are using AutoRefresh or want to manually refresh it later on. New WebAPIFactory objects cannot refresh SpotifyWebAPI object that they did not give to you.</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">webApiFactory = new TokenSwapWebAPIFactory("INSERT LINK TO YOUR index.php HERE")</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">{</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> Scope = Scope.UserReadPrivate | Scope.UserReadEmail | Scope.PlaylistReadPrivate,</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> AutoRefresh = true</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">};</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">// You may want to react to being able to use the Spotify service.</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">// webApiFactory.OnAuthSuccess += (sender, e) => authorized = true;</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">// You may want to react to your user's access expiring.</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">// webApiFactory.OnAccessTokenExpired += (sender, e) => authorized = false;</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"style="display:inline-block">
</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">try</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">{</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> spotify = await webApiFactory.GetWebApiAsync();</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> // Synchronous way:</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> // spotify = webApiFactory.GetWebApiAsync().Result;</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">}</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">catch (Exception ex)</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">{</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> // Example way to handle error reporting gracefully with your SpotifyWebAPI wrapper</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> // UpdateStatus($"Spotify failed to load: {ex.Message}");</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">}</span></div></div></div></div></div><h2><aaria-hidden="true"tabindex="-1"class="anchor enhancedAnchor_ZqCz"id="using-tokenswapauth"></a>Using TokenSwapAuth<aaria-hidden="true"tabindex="-1"class="hash-link"href="#using-tokenswapauth"title="Direct link to heading">#</a></h2><p>Since the TokenSwapWebAPIFactory not only simplifies the whole process but offers additional functionality too
(such as AutoRefresh and AuthSuccess AuthFailure events), use of this way is very verbose and is only
recommended if you are having issues with TokenSwapWebAPIFactory or need access to the tokens.</p><divclass="mdxCodeBlock_iHAB"><divclass="codeBlockContent_32p_"><buttontype="button"aria-label="Copy code to clipboard"class="copyButton_1BYj">Copy</button><divtabindex="0"class="prism-code language-csharp codeBlock_19pQ"><divclass="codeBlockLines_2n9r"style="color:#bfc7d5;background-color:#292d3e"><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">TokenSwapAuth auth = new TokenSwapAuth(</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> exchangeServerUri: "INSERT LINK TO YOUR index.php HERE",</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> serverUri: "http://localhost:4002",</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> scope: Scope.UserReadPrivate | Scope.UserReadEmail | Scope.PlaylistReadPrivate</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">);</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">auth.AuthReceived += async (sender, response) =></span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">{</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> lastToken = await auth.ExchangeCodeAsync(response.Code);</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"style="display:inline-block">
</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> authenticated = true;</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain"> auth.Stop();</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">};</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">auth.OnAccessTokenExpired += async (sender, e) => spotify.AccessToken = (await auth.RefreshAuthAsync(lastToken.RefreshToken)).AccessToken;</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">auth.Start();</span></div><divclass="token-line"style="color:#bfc7d5"><spanclass="token plain">auth.OpenBrowser();</span></div></div></div></div></div><h2><aaria-hidden="true"tabindex="-1"class="anchor enhancedAnchor_ZqCz"id="token-swap-endpoint"></a>Token Swap Endpoint<aaria-hidden="true"tabindex="-1"class="hash-link"href="#token-swap-endpoint"title="Direct link to heading">#</a></h2><p>To keep your client secret completely secure and your client ID and redirect URI as secure as possible, use of a web server (such as a php website) is required.</p><p>To use this method, an external HTTP Server (that you may need to create) needs to be able to supply the following HTTP Endpoints to your application:</p><p><code>/swap</code> - Swaps out an <code>authorization_code</code> with an <code>access_token</code> and <code>refresh_token</code> - The following parameters are required in the JSON POST Body:</p><ul><li><code>grant_type</code> (set to <code>"authorization_code"</code>)</li><li><code>code</code> (the <code>authorization_code</code>)</li><li><code>redirect_uri</code></li><li><ul><li><strong>Important</strong> The page that the redirect URI links to must return the authorization code json to your <code>serverUri</code> (default is 'http://localhost:4002') but to the folder 'auth', like this: 'http://localhost:4002/auth'.</li></ul></li></ul><p><code>/refresh</code> - Refreshes an <code>access_token</code> - The following parameters are required in the JSON POST Body:</p><ul><li><code>grant_type</code> (set to <code>"refresh_token"</code>)</li><li><code>refresh_token</code></li></ul><p>The following open-source token swap endpoint code can be used for your website:</p><ul><li><ahref="https://github.com/rollersteaam/spotify-token-swap-php"target="_blank"rel="noopener noreferrer">rollersteaam/spotify-token-swap-php</a></li><li><ahref="https://github.com/simontaen/SpotifyTokenSwap"target="_blank"rel="noopener noreferrer">simontaen/SpotifyTokenSwap</a></li></ul><h2><aaria-hidden="true"tabindex="-1"class="anchor enhancedAnchor_ZqCz"id="remarks"></a>Remarks<aaria-hidden="true"tabindex="-1"class="hash-link"href="#remarks"title="Direct link to heading">#</a></h2><p>It should be noted that GitHub Pages does not support hosting php scripts. Hosting php scripts through it will cause the php to render as plain HTML, potentially compromising your client secret while doing absolutely nothing.</p><p>Be sure you have whitelisted your redirect uri in the Spotify Developer Dashboard otherwise the authorization will always fail.</p><p>If you did not use the WebAPIFactory or you provided a <code>serverUri</code> different from its default, you must make sure your redirect uri's script at your endpoint will properly redirect to your <code>serverUri</code> (such as changing the areas which refer to <code>localhost:4002</code> if you had changed <code>serverUri</code> from its default), otherwise it will never reach your new <code>serverUri</code>.</p></div></article><divclass="margin-vert--xl"><divclass="row"><divclass="col"><ahref="https://github.com/JohnnyCrazy/SpotifyAPI-NET/edit/master/SpotifyAPI.Docs/versioned_docs/version-5.1.1/auth/token_swap.md"target="_blank"rel="noreferrer noopener"><svgfill="currentColor"height="1.2em"width="1.2em"preserveAspectRatio="xMidYMid meet"viewBox="0 0 40 40"style="margin-right:0.3em;vertical-align:sub"><g><pathd="m3
