Skip to main content

Authorization

MusicAPI requires authentication credentials for all API requests. You can obtain your Client ID and Client Secret from MusicAPI Dashboard after creating your developer account.

Public Endpoints

Public endpoints that access general music content (such as the Search API) require only Client ID authentication. These endpoints are safe to call directly from your frontend application.

Required Headers

Each API call must include the following headers:

  • Authorization: Token [Your Client ID]
  • Content-Type: application/json; charset=utf-8
Example Request
curl "https://api.musicapi.com/search/introspection" \
  -H 'Content-Type: application/json; charset=utf-8' \
  -H 'Authorization: Token 2cf82db3-4064-4235-8253-16994eb51773'

Private Endpoints

Private endpoints that access user-specific data (such as user profiles, playlists, and libraries) require enhanced security authentication.

MusicAPI supports two authentication methods for private endpoints:

Method 1: Client Secret Authentication (Backend Only)

You can authenticate using your Client ID and Client Secret combination. Since this provides full account access, you must only use this method on your secure backend servers. This is ideal for server-side operations like fetching user information for internal processing.

The recommended approach is to use JWT Dev Tokens. Generate the token on your backend server, then pass it to your frontend application for secure API calls.

Example Implementation: In Next.js applications, you can generate the JWT token server-side using getServerSideProps and securely pass it to your client components.

Dev Token Authentication

Recommended for frontend applications!

JWT Dev Tokens provide secure authentication for frontend applications while maintaining security best practices.

Step 1: Generate Key Pair

Create a private/public key pair using the following OpenSSL commands:

openssl ecparam -name prime256v1 -genkey -noout -out private.ec.key
openssl ec -in private.ec.key -pubout -out public.pem

Step 2: Configure Public Key

  1. Navigate to Account Settings in your developer dashboard
  2. Add your public key to your account configuration
  3. Save the configuration and note down the Key ID - you'll need this for JWT generation

Step 3: Generate JWT Tokens

MusicAPI uses the ES256 algorithm for JWT validation. You must use this specific algorithm for all token generation.

Required JWT Header:

{
  "typ": "JWT",
  "alg": "ES256",
  "kid": "Your Public Key ID from Account Settings"
}

Required JWT Payload:

{
  "iss": "Your Client ID",
  "sub": "Target User UUID [integrationUserUUID] (optional)",
  "iat": 1683873013557, // Current timestamp: new Date().getTime() / 1000
  "exp": 1685082613557 // Expiration: date.addDays(new Date(), 14).getTime() / 1000
}

Note: The sub property is optional. When omitted, the token can query data for any user within your account scope.

Step 4: API Authentication

Include the following headers in your API requests:

  • Authorization: DevToken [Your Generated JWT]
  • Content-Type: application/json; charset=utf-8

Example Implementation

Here's a TypeScript example for generating Dev Tokens:

import jwt from 'jsonwebtoken';
import date from 'date-and-time';

export const signDevToken = (clientId: string, keyId: string, privateKey: string, integrationUserUUID?: string) => {
  const algorithm = 'ES256';

  return jwt.sign(
    {
      iss: clientId,
      iat: Math.floor(new Date().getTime() / 1000),
      exp: Math.floor(date.addDays(new Date(), 14).getTime() / 1000),
      sub: integrationUserUUID,
    },
    privateKey,
    {
      algorithm,
      header: {
        alg: algorithm,
        kid: keyId,
      },
    }
  );
};

Client Secret Authentication

Security Warning

Never expose your Client Secret in frontend code! Treat it like a password - it provides full access to your account and should only be used on secure backend servers.

Client Secret authentication provides access to both public and private endpoints. Due to its privileged access level, this method should only be used on secure backend servers.

Implementation

Use HTTP Basic Authentication by sending your Client ID and Client Secret in the Authorization header:

Authorization: Basic base64($clientId + ':' + $clientSecret)

Example Requests

# Using pre-encoded credentials
curl "https://api.musicapi.com/search/introspection" \
  -H 'Authorization: Basic OGQ4ODMxNzgtOTU4NS00ODJlLWJiNGItMGM4NTczNmVkYzJkOjlmYWNmZTI4LTgzZTUtNGIzZi04MTVmLTIzNTUxZDc3Y2Q0OA==' \
  -H 'Content-Type: application/json; charset=utf-8'

# Using curl's built-in authentication
curl "https://api.musicapi.com/search/introspection" \
  -u "ClientID:ClientSecret" \
  -H 'Content-Type: application/json; charset=utf-8'