Documentation

OAuth 2.0

Client Credentials Grant

This grant is for machine-to-machine communication where a single user's permission is not required.

The client sends a POST request to https://www.pandora.com/oauth/v1/token with the content type application/x-www-form-urlencoded and the values.

Parameter Description Type Example Required
grant_type client_credentials indicating that we are using the client credentials grant type. string "client_credentials" Yes
scope A space-delimited list of requested scopes. Only “webapi” is supported for now. The default is also “webapi”. string "webapi" Yes

Additionally, the client should include a basic authentication header that looks like the following:

Authorization: Basic Base64Encode(client_id:client_secret)

The authorization server responds with a JSON object that contains:

Parameter Description Type Example
token_type The type of token to request. Usually "Bearer". string ""Bearer""
expires_in The time in seconds the token is valid for. string "webapi"
access_token The access token that can be used to access a Pandora protected resource. string "STRING"

Note: No refresh token is granted with this grant type. Instead, when the token expires, re-fetch the access token with the client credentials grant.