Tutorial: Authenticate App User with Pandora

1. Authentication & Authorization

The majority of this is handled by the OAuth service of Pandora.  The aim is to authenticate the listener using their Pandora listener account, authorize the application to fetch resources on behalf of the listener, and get an authorization code that you will use to get an access token to eventually query/mutate Pandora resources.

Redirect the listener to Pandora OAuth service (Authentication)

Redirect the listener to with the following URL parameters:

Parameter Description Type Example Required
response_type Denotes the kind of credential that Auth0 will return (code vs token). For this flow, the value must be code. string "code" Yes
client_id The identifier of the client. See here for how to find your Client ID. string "K0OOpAbKaR97E1NoeX8dC9LA9wAwq23E" Yes
redirect_uri The callback URL registered for your app. When the authorization process was successful, the OAuth server will redirect back to this URL. string "" Yes

An example of what the request URL should look like:

1. The OAuth server will redirect the listener to

2. The listener will then either create an account or sign in with their existing account. Clicking on “I have a Pandora account” will take you to this page.

3. When you log in, the OAuth service will take you to the next screen to submit consent for scope.


Listener submits consent for scope (Authorization)

On this screen the listener submits consent for the application to access Pandora resources on behalf of the user.

Parameter Description Type Example
code The authorization code is a short lived value that can be exchanged for an access token. string "APQBvb9xwom1IkRTg7pGiAE"
alias Request authorization UUID, this value will change with each authorization. string "AOeZZOQBQiFmQSbaUXGsgYg"

An example of the callback URL and its parameters:


Get authorization code from response

The next step is to get the authorization code that you will need to be able to get an access token. The authorization code was sent as a parameter on the callback URL.