The Spotify Api has an option to authorize users, which I am currently using. When the authorization is complete, you'll receive an Authentication Token, which can be exchanged for an Access Token and Refresh Token. In my use case, the Access Token will be sent to the backend which requests user details using the /me call, after which an user will be created or logged in based on the Spotify data. The Spotify ID (in the response) will be used to create an user in my backend, so basically your Spotify ID is tied to an account in the backend.
The problem I'm currently facing is the following: in order to get the Spotify ID of the user, the backend has to make a /me call. This isn't ideal because Spotify has rate limits, which can easily be triggered this way. Normally when you authenticate using OAuth, you'll receive a JWT token which contains data, possibly an id. You can also verify if the JWT token has been tampered with using your public / private key. In Spotify's case, we do not receive a JWT token, but rather a general token. I can't seem to find out how to get any information from the token, I just don't know. I've tried Base64 decoding it and then AES (and DES and TripleDES and Rabbit and RC4) decrypting it using the public / private key, but no useful data is being retrieved. I cannot find any information on how to get any data out of it, no-one seems to have tried it yet..
Auth0 has a Spotify integration, where they also (from what I could see) use the /me call in the backend. I suppose they are using a proxy or such to get around the rate limit, but this is not applicable for now. The problem I foresee is that any Spotify token from the internet could potentially log in to my backend, because I can't verify that the token has been created using my client ID...
In the hopes of some stranger on StackOverflow knowing the answer, or knowing how to help, I've listed all the public / private keys and responses I have retrieved (note: these are test keys, not my app's keys ????):
Client ID: 6577d59d8dd643d5b2e53b25b0d5211e
Client Secret: c04640db6312400c9611229a81e65c6b
Authorization code: AQAGm98h91D9AsvavJXAL_V5DK-r6BtybDPbg7B31vZocO7TjOXqLQwhVSOmrHViXkippOPFjtrNjEjCQG6D0n1ImYbFXaTUNYGK4uIaeqqUdGne-KTZBE3MmBUP0iagpCY5HVjtTnty2FnL_JjD1a6omPAvSqTds1iexV6a
Access Token: BQAdbMy4Dhj0VCfnFS_VcEgjmMHBb9Sekjcal5F8T9HaXb7zIJjtsIRgjuzp4x3SGvAXgBw1NWdURSGGGHP5wPSU0Baqc9Zz4b5AvPGOX6aZy6w5c15GktTT_bvB-3wA3rfOqjYsrAGuzHuqxz0simNcYiQNiIyuhw
Refresh Token: AQApR35msEEcgq0pH7TWPXefcA8bHvc2rApA-mxRAuPo3QJVu5ksZMJMmh4jXy6USj2napzrZ9bJijVbkpZpgzPE8js-i-e9f7vVO0INnp-Q3P_gt3MIQ-4AbQ8eDBXORmw
TL;DR:
How to get data from the Spotify Access token, possibly using the client ID / client Secret?
Because I can't think (thats the question) of any way to verify the token, any Spotify token could be used to create an account in my backend, not just a token created with my client ID.
