Spotify Community

Hi, I'm integrating Spotify into my web application and have some questions about the PKCE flow. Specifically, I'm wondering about its security and purpose.

With PKCE, the browser receives both the access and refresh tokens. However, Spotify enforces rate limits at the application level. This raises a concern: What prevents a user from obtaining their own access and refresh tokens and using them to spam requests to Spotify? This could quickly exhaust the app-wide rate limit, affecting all users.

Does Spotify have a mechanism to rate-limit individual users to prevent this kind of abuse? And if not, do I need to handle per-user rate limiting on my own? If I still need to manage rate limiting server-side, what’s the purpose of using PKCE at all, if I ultimately need to proxy requests through my backend?

Plan

Premium

Operating System

Windows 10