Documentation

OAuth 2.0

Authorization Code Grant

The authorization code grant is the classic OAuth flow. It allows a user to authorize a third party to access Pandora on their behalf. A use case for this flow is a user authorizing a web client to access Pandora APIs on their behalf. The web client uses an access token to look up details about the user, fetch playlists, etc.

1. Redirect the user to the login page

https://www.pandora.com/oauth/v1/authorize

The client redirects the user to https://www.pandora.com/oauth/v1/authorize with the following parameters:

Parameter Description Type Example Required
response_type Denotes the kind of credential that Auth0 will return (code vs token). For this flow, the value must be code. string "code" Yes
client_id The identifier of the client. See here how to get your client ID. string "K0OOpAbKaR97
E1NoeX8dC9LA9
wAwq23E"
Yes
redirect_uri The callback URL registered for your app. You can get your callback URL in your applications dashboard. When the authorization process was successful, the OAuth server will redirect back to this URL. string "http://www.mysite.com
/callback"
Yes
scope A space delimited list of scopes the client would like. Only “webapi” is supported for now.  The default is also “webapi”. string "webapi" No
state A CSRF token. This is a random value generated by the client that we return in our response. The client is responsible for verifying its validity. string "8600b31f-52d1-
4dca-987c-386
e3d8967e9"
No, but highly recommended
code_challenge   A base64 URL encoded random value, which should be temporarily persisted as the "code verifier" for use later. string

"M25iVXpKU3pu
UjFaYWg3T1NDT
DQtcW1ROUY5
YXlwalNoc0hhakxi
fmZHa"

No, but PKCE is highly recommended for public clients
code_challenge_
method
The only permitted method is SHA-256. string "S256" No, but required if code_challenge is used

 

2. Receive the authorization code

The user then logs in and submits their consent to the application to request Pandora resources on their behalf.  The authorization server redirects the user to the redirect URI specified in the initial request with the following parameters in the query string:

Parameter Description Type Example
code The authorization code is a short lived value that can be exchanged for an access token. string "APQBvb9xwom1IkRT
g7pGiAE"
state The state parameter sent in the original request, if it was sent. string "8600b31f-52d1-4dca-
987c-386e3d8967e9"
alias Request authorization UUID, this value will change with each authorization. string "AOeZZOQBQiFmQSb
aUXGsgYg"

 

3. Exchange the authorization code for an access token

Now that the client has the authorization code, requests can be made to the OAuth service to get the request and access tokens needed for GraphQL calls.  

The client sends a POST request to https://www.pandora.com/oauth/v1/token with the content type application/x-www-form-urlencoded and the values. 

Parameter Description Type Example Required
grant_type authorization_code indicating that we are using the authorization code grant type. string "authorization_code" Yes
redirect_uri The same redirect URI the user was redirected to during front channel communication. string "http://www.mysite.com
/callback"
Yes
code The authorization code from the front channel communication. string "APQBvb9xwom1IkRTg7pGiAE" Yes
code_verifier  If code_challenge was used in front channel communication, the plaintext random value that the back channel will compare against. string "M25iVXpKU3puUjFaYWg3T1NDT
DQtcW1ROUY5YXlwalNoc0hhakxifmZHa"
No

 

Additionally, the client should include a basic authentication header that looks like the following:

Authorization: Basic Base64Encode(client_id:client_secret)

If everything is valid, we respond with a JSON object that contains:

Parameter Description Type Example
access_token The access token that can be used to access a Pandora protected resource. string "eyJ6aXAiOiJERUYiLC
JraWQiOiJlbmMxNTEy
NDE0ODM5IiwiY3R5Ij
VZ0-bT-PbDSehO_4Cn
Ty3fRXbiuQFKCI5Zau
ccidVCRN-dFGwHPLKH
IUQyud0.if2rmJFUJk
UDrFvbl44_vw"
refresh_token A token that can be used at the refresh endpoint to fetch a fresh access_token. string "eyJ6aXAiOiJERUYiLC
JraWQiOiJlbmMxNTEz
NzgzOTU4IiwiY3R5Ij
oiSldUIiwiZW5jIjoi
uTTVDpWIqNwxXHoekob
swt7uXaBhExXkolqVB4
y5yOk.B7eRL3XpBwKtp
cc9rgVjJQ"
expires_in The time in seconds that the access token is valid for (the refresh token does not expire). number 14400
token_type Type of the token, typically "Bearer". string "Bearer"

 

You can use this curl command to test:



curl 'https://www.pandora.com/oauth/v1/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Authorization: Basic ' \
  -d grant_type=authorization_code \
  -d redirect_uri="" \
  -d code=

4. Refresh the access token

Use the refresh token grant as needed to generate new access tokens.