README: state plainly that a new Spotify app can't read playlists (both endpoints blocked)

Testing a brand-new app confirmed /tracks returns 403 and /items returns 401
'valid user authentication required' for app-only (client-credentials) access.
Update the prerequisite, the credentials table, and Troubleshooting so new
self-hosters know they need a grandfathered app's Client ID/Secret rather than
creating their own.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
andrew
2026-07-14 10:19:05 -06:00
parent 97672ffdcd
commit 91f3982eff
+3 -3
View File
@@ -56,7 +56,7 @@ Before you begin, make sure you have:
1. **A server that runs Docker**, with `docker compose` available. Any Linux box, NAS, or mini PC works.
2. **A music server that reads a plain folder of tagged files**, such as [Navidrome](https://www.navidrome.org/). alembic builds your library on disk; Navidrome (or similar) is what you actually listen with.
3. **A Soulseek account.** This is how tracks get downloaded. Sign up free at [soulseek.com](https://www.soulseek.com/).
4. **A free Spotify Developer app.** This lets alembic read playlist contents (it does not download from Spotify itself, only Soulseek). Takes two minutes, see the credentials section below.
4. **Spotify credentials that can read playlists.** alembic reads your playlists' track lists from Spotify (it does not download from Spotify itself, only Soulseek). Important: because of Spotify's 2024/2025 API changes, a **brand-new** Spotify Developer app can no longer do this kind of app-only playlist read, so creating your own fresh app will not work. You need the Client ID and Secret from an app created before those changes, which in practice means borrowing them from someone already running alembic. They are read-only and expose no account access (see the credentials section). If nobody you know has a working app, alembic cannot read playlists today.
5. **A login provider that speaks OpenID Connect (OIDC).** alembic doesn't have its own username/password login, it delegates to something you already trust. [Pocket ID](https://github.com/pocket-id/pocket-id) is a small self-hosted option built exactly for this, but Authentik, Keycloak, Authelia, or any other OIDC provider works too.
Optional, add these later if you want them:
@@ -191,7 +191,7 @@ Spotify, Soulseek, and Navidrome are marked **Required** — every playlist sync
| Service | What to enter | Where to get it |
|---|---|---|
| **Spotify** *(required)* | Client ID, Client Secret | Create a free app at [developer.spotify.com/dashboard](https://developer.spotify.com/dashboard). You don't need any special access, the basic free tier is enough to read playlist contents. |
| **Spotify** *(required)* | Client ID, Client Secret | Reads your playlists' track lists. A brand-new app created at [developer.spotify.com/dashboard](https://developer.spotify.com/dashboard) can no longer do this (see "What you need before you start" above and Troubleshooting below), so use the Client ID and Secret from an older app that still works. |
| **Soulseek** *(required)* | Username, Password | Your normal Soulseek login. |
| **Navidrome** *(required)* | Base URL, admin username, admin password | The address of your Navidrome server and an admin account on it. Used so alembic can trigger a library rescan after downloads. |
| **Bandcamp** *(optional)* | Username, format preference, cookies | Export your Bandcamp cookies while logged into bandcamp.com in your browser, using an extension like "Get cookies.txt LOCALLY", and paste the contents in. Format preference is a space-separated list like `flac mp3-320`. |
@@ -273,7 +273,7 @@ Check that playlist's job history under **Settings → Jobs**, the log will usua
Your Spotify app can't read the playlist. Two things to check:
- **The playlist must be public.** alembic reads playlists with app-only (client-credentials) access, which can only see public playlists, never private ones. Set the playlist to public on Spotify.
- **Your Spotify app must be allowed to read playlists.** Spotify now restricts brand-new developer apps (in "development mode") from reading playlists they don't own, and since May 2025 the "extended quota mode" that lifts this is only granted to organizations, not individuals. If your own app gets 403 on a public playlist, the simplest fix is to use the Spotify Client ID and Secret from an app that already works (for example, one a friend running alembic set up before the change). Client credentials only read public catalog data, so sharing them exposes no account access, just the app's rate limit.
- **Your Spotify credentials must come from an app that can still read playlists app-only.** A brand-new Spotify Developer app cannot. Spotify has closed app-only playlist reads for new apps on both the old `/tracks` endpoint (returns 403) and the new `/items` endpoint (returns a 401 "valid user authentication required"). The "extended quota mode" that would lift this is granted only to organizations, not individuals, since May 2025. So a fresh personal app simply will not work here. Use the Client ID and Secret from an app created before these changes, for example from a friend already running alembic. Those credentials are read-only, expose no account access, and only share the app's rate limit.
**Dedup found something that isn't actually a duplicate.**
Use the "Keep both" button on that pair. alembic will remember your decision and won't flag that exact pair again.