OAuth 2.0
Authorization Code Grant
The authorization code grant is the classic OAuth flow. It allows a user to authorize a third party to access Pandora on their behalf. A use case for this flow is a user authorizing a web client to access Pandora APIs on their behalf. The web client uses an access token to look up details about the user, fetch playlists, etc.
1. Redirect the user to the login page
https://www.pandora.com/oauth/v1/authorize
The client redirects the user to https://www.pandora.com/oauth/v1/authorize with the following parameters:
| Parameter | Description | Type | Example | Required |
response_type |
Denotes the kind of credential that Auth0 will return (code vs token). For this flow, the value must be code. | string | "code" | Yes |
client_id |
The identifier of the client. See here how to get your client ID. | string | "K0OOpAbKaR97 E1NoeX8dC9LA9 wAwq23E" |
Yes |
redirect_uri |
The callback URL registered for your app. You can get your callback URL in your applications dashboard. When the authorization process was successful, the OAuth server will redirect back to this URL. | string | "http://www.mysite.com /callback" |
Yes |
scope |
A space delimited list of scopes the client would like. Only “webapi” is supported for now. The default is also “webapi”. | string | "webapi" | No |
state |
A CSRF token. This is a random value generated by the client that we return in our response. The client is responsible for verifying its validity. | string | "8600b31f-52d1- 4dca-987c-386 e3d8967e9" |
No, but highly recommended |
code_challenge |
A base64 URL encoded random value, which should be temporarily persisted as the "code verifier" for use later. | string |
"M25iVXpKU3pu |
No, but PKCE is highly recommended for public clients |
code_challenge_ |
The only permitted method is SHA-256. | string | "S256" | No, but required if code_challenge is used |
2. Receive the authorization code
The user then logs in and submits their consent to the application to request Pandora resources on their behalf. The authorization server redirects the user to the redirect URI specified in the initial request with the following parameters in the query string:
| Parameter | Description | Type | Example |
code |
The authorization code is a short lived value that can be exchanged for an access token. | string | "APQBvb9xwom1IkRT g7pGiAE" |
state |
The state parameter sent in the original request, if it was sent. | string | "8600b31f-52d1-4dca- 987c-386e3d8967e9" |
alias |
Request authorization UUID, this value will change with each authorization. | string | "AOeZZOQBQiFmQSb aUXGsgYg" |
3. Exchange the authorization code for an access token
Now that the client has the authorization code, requests can be made to the OAuth service to get the request and access tokens needed for GraphQL calls.
The client sends a POST request to https://www.pandora.com/oauth/v1/token with the content type application/x-www-form-urlencoded and the values.
| Parameter | Description | Type | Example | Required |
grant_type |
authorization_code indicating that we are using the authorization code grant type. |
string | "authorization_code" | Yes |
redirect_uri |
The same redirect URI the user was redirected to during front channel communication. | string | "http://www.mysite.com /callback" |
Yes |
code |
The authorization code from the front channel communication. | string | "APQBvb9xwom1IkRTg7pGiAE" | Yes |
code_verifier |
If code_challenge was used in front channel communication, the plaintext random value that the back channel will compare against. | string | "M25iVXpKU3puUjFaYWg3T1NDT DQtcW1ROUY5YXlwalNoc0hhakxifmZHa" |
No |
Additionally, the client should include a basic authentication header that looks like the following:
Authorization: Basic Base64Encode(client_id:client_secret)
If everything is valid, we respond with a JSON object that contains:
| Parameter | Description | Type | Example |
access_token |
The access token that can be used to access a Pandora protected resource. | string | "eyJ6aXAiOiJERUYiLC JraWQiOiJlbmMxNTEy NDE0ODM5IiwiY3R5Ij VZ0-bT-PbDSehO_4Cn Ty3fRXbiuQFKCI5Zau ccidVCRN-dFGwHPLKH IUQyud0.if2rmJFUJk UDrFvbl44_vw" |
refresh_token |
A token that can be used at the refresh endpoint to fetch a fresh access_token. | string | "eyJ6aXAiOiJERUYiLC JraWQiOiJlbmMxNTEz NzgzOTU4IiwiY3R5Ij oiSldUIiwiZW5jIjoi uTTVDpWIqNwxXHoekob swt7uXaBhExXkolqVB4 y5yOk.B7eRL3XpBwKtp cc9rgVjJQ" |
expires_in |
The time in seconds that the access token is valid for (the refresh token does not expire). | number | 14400 |
token_type |
Type of the token, typically "Bearer". | string | "Bearer" |
You can use this curl command to test:
curl 'https://www.pandora.com/oauth/v1/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Basic ' \
-d grant_type=authorization_code \
-d redirect_uri="" \
-d code=
4. Refresh the access token
Use the refresh token grant as needed to generate new access tokens.