As part of our continuous effort toward making improvements to our API with the hope that we can relaunch API access to all developers, we’re making some critical security improvements. Please note that these are important and time sensitive and may cause disruptions in your app if you don’t make the necessary security upgrades.
Going forward, all traffic will be served via TLS. If your application doesn’t support TLS or cannot follow HTTP 301 redirects automatically, you should update it. This is effective immediately.
While we currently support clients using oauth_token as a query parameter per the OAuth 2.0 RFC 6750, this poses a few security challenges. We’re stopping support for this to encourage users to provide the authentication header instead, and it’ll be in effect soon.
Here’s an example of sending an access token in a request header:
curl --request GET \
--url 'https://api.soundcloud.com/me/tracks?limit=1' \
--header 'Authorization: OAuth ACCESS_TOKEN'The password grant type will be deprecated. We recommend using authorization_code for client-side integrations and client_credentials for server-side integrations.
For an authorization_code grant type, we’ll only support one response type: code. Token and code_and_token are deprecated and will be considered invalid.
Currently, to access the public resources of the platform, server-side integrations with our API only require a client_id in the URL’s query parameter. We’ll be strengthening our authorization here by making all public resources on the API only accessible to apps that have been authorized with the client_credentials grant. This will enable the app to capture both the access_token and the refresh_token to then fetch the resources from the API. Please note that the use of client_id will be deprecated and deleted soon (from July 2021). Developers should provide the Authentication header for all their requests to the SoundCloud API going forward.
Here’s an example of getting an access token via the client_credentials grant type:
curl --request POST \
--url https://api.soundcloud.com/oauth2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data client_id=CLIENT_ID \
--data client_secret=CLIENT_SECRET \
--data grant_type=client_credentialsAll access tokens issued by our servers will be expiring by default with the TTL set to 6 hours. If you’re currently using non-expiring tokens, you should make the necessary updates in your app to handle the refresh_token grant.
Here’s an example of getting an access token via the refresh_token grant type:
curl --request POST \
--url https://api.soundcloud.com/oauth2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data client_id=CLIENT_ID \
--data client_secret=CLIENT_SECRET \
--data grant_type=refresh_token \
--data refresh_token=REFRESH_TOKENFor future updates, please follow us on Twitter and on our blog. For any bugs or feature requests, please visit our GitHub Issue Tracker. You can also follow our API Release Notes page to stay up to date with minor changes.