Cannot access the client's own user information or tracks

[icreatestuff]

Title: Cannot access the client's own user information or tracks

Issue found of: October 5th, 2021

Endpoint(s):

• GET /me
• GET /me/tracks

Steps to reproduce:

Using the client_credentials grant type we receive an access token from the oauth/token endpoint which we use immediately to try and retrieve the users data and tracks from the /me and /me/tracks endpoints.

In both cases a 401 unauthorized response gets returned.

Based on this paragraph from the docs we are led to believe that as long as we're only trying to access the user details of the owner of the app (client Id & secret) this should be possible:

Authenticating without the SoundCloud Connect Screen
If you simply need an access token for testing, and do not want to go through the connect flow, or if your app needs to access only public resources, you can use the OAuth Client Credentials Flow. An example of this kind of app would be an artist's website where you'll only be accessing their tracks, playlists, or user information. In these cases you may exchange a set of your client credentials for an access token.

Expected behaviour:

The users details and tracks should be returned.

Actual behaviour:

401 unauthorized response every time without any error message.

[ChrisPowellIinc]

Did you get your client_credentials from registering the App?

[icreatestuff]

@ChrisPowellIinc We have our Client ID and Secret from a registered app yes. I've temporarily been able to get around this by doing a request for /users/{{ MY USER ID }} and /users/{{ MY USER ID }}/tracks

[rahul-sc]

You need to use the authorization_code grant type to fetch a user's access token - meaning you need to capture user's consent via "Sign in SoundCloud" i.e., Connect
https://developers.soundcloud.com/docs/api/guide#users-register

[icreatestuff]

Hi @rahul-sc thanks for the response. What you're recommending though doesn't line up with the docs that I quoted verbatim in the original post. I'm not clear on why we'd need to go down the 'Connect' route if the only resources we want are for the Soundcloud user who has registered the API app, could you shed some more light on this? Thanks

[rahul-sc]

I think you're confusing the fact that API keys associated to a SC user account vs asking user's consent via Oauth2 to allow a 3rd party app to interact with their data / act on their behalf.

If you're performing user related actions on API, you need to integrate with Connect. With Client Credentials, you can only access public resources (like track, playlist etc)