The latest articles on Forem by Aditya Thakekar (@adityathakekar). https://forem.com/adityathakekar https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F777095%2F0b55ea03-9403-4e18-9e1e-9ec63328a97f.jpg https://forem.com/adityathakekar en Aditya Thakekar Sat, 20 Dec 2025 15:11:09 +0000 https://forem.com/adityathakekar/build-a-real-time-spotify-dashboard-with-nextjs-part-1-the-auth-297e https://forem.com/adityathakekar/build-a-real-time-spotify-dashboard-with-nextjs-part-1-the-auth-297e <p><strong>Series:</strong> Project Spotiviz<br> <strong>Tags:</strong> #nextjs #webdev #tutorial #security</p> <p><a href="http://googleusercontent.com/image_generation_content/0" rel="noopener noreferrer">http://googleusercontent.com/image_generation_content/0</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fexgwsckci5tvlrjsg4n0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fexgwsckci5tvlrjsg4n0.png" alt="Spotify" width="800" height="436"></a></p> <h2> 👋 The "Why." </h2> <p>We all love <strong>Spotify Wrapped</strong>. It is a brilliant piece of product marketing that turns data into a cultural event. But as developers, waiting 12 months to see our listening habits feels like an eternity.</p> <p><em>Why can't we see our data **now</em><em>?</em></p> <p>Welcome to <strong>Project Spotiviz</strong>. In this three-part series, we aren't just going to fetch a JSON file. We are going to engineer a production-ready, full-stack application that visualizes your music taste in real-time.</p> <p><strong>What we are building today:</strong><br> We are ignoring the charts for a moment. Today, we focus on the gatekeeper: <strong>Authentication.</strong> 🔐</p> <blockquote> <p><strong>The Goal:</strong> By the end of this article, you will have a secure backend that can handshake with Spotify, exchange secret codes for access tokens, and store them in <strong>secure, HTTP-only cookies</strong> that client-side scripts can't touch.</p> </blockquote> <h2> 🏛️ The Architecture </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnf2p03nth2ta516kjljj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnf2p03nth2ta516kjljj.png" alt="Architecture" width="800" height="436"></a></p> <p>Before we write code, we must understand the flow. Using a third-party API like Spotify isn't as simple as <code>fetch('https://api.spotify.com')</code>. We are dealing with private user data.</p> <p>We are using the <strong>Authorization Code Flow</strong>. This is robust and allows us to get a "Refresh Token," meaning our app can stay logged in forever without the user needing to re-approve it every hour.</p> <p><a href="http://googleusercontent.com/image_generation_content/1" rel="noopener noreferrer">http://googleusercontent.com/image_generation_content/1</a></p> <h3> 🛠️ The Stack </h3> <ul> <li> <strong>Framework:</strong> Next.js 14/15 (App Router)</li> <li> <strong>Language:</strong> TypeScript</li> <li> <strong>Styling:</strong> Tailwind CSS</li> <li> <strong>State Management:</strong> Server-Side Cookies</li> </ul> <h2> Phase 1: The Spotify Developer Dashboard </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fftq3qmbn0yvc2o880bnj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fftq3qmbn0yvc2o880bnj.png" alt="Developer-dashboard" width="800" height="436"></a></p> <p>We need to register our application with Spotify to get our credentials.</p> <ol> <li> Log in to the <a href="https://developer.spotify.com/dashboard" rel="noopener noreferrer">Spotify Developer Dashboard</a>.</li> <li> Click <strong>Create App</strong>.</li> <li> Give it a name (e.g., <code>Spotiviz Local</code>).</li> <li> <strong>🚨 Crucial Step:</strong> You will see a field for <strong>Redirect URIs</strong>. This is a whitelist of URLs that Spotify is allowed to return data to. If you don't set this exactly right, the API will block you.</li> </ol> <p><a href="http://googleusercontent.com/image_generation_content/2" rel="noopener noreferrer">http://googleusercontent.com/image_generation_content/2</a></p> <blockquote> <p><strong>Input this exactly:</strong><br> <code>http://localhost:3000/api/callback</code></p> </blockquote> <h2> Phase 2: Project Setup &amp; Secrets 🤫 </h2> <p>Open your terminal. Let’s scaffold a robust Next.js project.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx create-next-app@latest spotiviz <span class="c"># Select Yes for TypeScript, Tailwind, ESLint, App Router</span> </code></pre> </div> <h3> Managing Secrets </h3> <p>We need to store our credentials securely. Create a file named <code>.env.local</code> in the root of your project.</p> <p><a href="http://googleusercontent.com/image_generation_content/4" rel="noopener noreferrer">http://googleusercontent.com/image_generation_content/4</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .env.local</span> <span class="nv">SPOTIFY_CLIENT_ID</span><span class="o">=</span>your_client_id_paste_here <span class="nv">SPOTIFY_CLIENT_SECRET</span><span class="o">=</span>your_client_secret_paste_here <span class="nv">SPOTIFY_REDIRECT_URI</span><span class="o">=</span>http://localhost:3000/api/callback </code></pre> </div> <h2> Phase 3: The Authorization URL 🔗 </h2> <p>We need a button that kicks off the process. We need to construct a specific URL that tells Spotify exactly what permissions (<strong>Scopes</strong>) we want.</p> <p>Create a utility library: <code>lib/spotify.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">scopes</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">user-read-recently-played</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">user-top-read</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">user-read-currently-playing</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">user-library-read</span><span class="dl">"</span> <span class="p">].</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2"> </span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">params</span> <span class="o">=</span> <span class="p">{</span> <span class="na">scope</span><span class="p">:</span> <span class="nx">scopes</span><span class="p">,</span> <span class="na">response_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">code</span><span class="dl">"</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SPOTIFY_REDIRECT_URI</span><span class="o">!</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SPOTIFY_CLIENT_ID</span><span class="o">!</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">queryParamString</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">(</span><span class="nx">params</span><span class="p">).</span><span class="nf">toString</span><span class="p">();</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">LOGIN_URL</span> <span class="o">=</span> <span class="s2">`https://accounts.spotify.com/authorize?</span><span class="p">${</span><span class="nx">queryParamString</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> </code></pre> </div> <blockquote> <p><strong>Pro Tip:</strong> If you forget to ask for a specific scope here (like <code>user-top-read</code>), the API will return a <code>403 Forbidden</code> error later when you try to fetch that data.</p> </blockquote> <h2> Phase 4: The "Handshake" (API Route) 🤝 </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnxyi1eds4isudoishb9f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnxyi1eds4isudoishb9f.png" alt="Handshake" width="800" height="436"></a></p> <p><strong>This is the most critical part of the application.</strong></p> <p>Spotify redirects the user to <code>http://localhost:3000/api/callback?code=AQDa...</code>. That <code>code</code> is <strong>NOT</strong> the access token. It is a temporary authorization code.</p> <p>We must exchange this code <strong>Server-Side</strong> using a Next.js Route Handler.</p> <p><strong>File:</strong> <code>app/api/callback/route.ts</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">cookies</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/headers</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 1. Parse the URL to get the "code" parameter</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">searchParams</span> <span class="p">}</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">code</span> <span class="o">=</span> <span class="nx">searchParams</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">code</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">code</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No code provided</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// 2. Prepare the request to exchange code for a token</span> <span class="kd">const</span> <span class="nx">authOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/x-www-form-urlencoded</span><span class="dl">"</span><span class="p">,</span> <span class="na">Authorization</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Basic </span><span class="dl">"</span> <span class="o">+</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SPOTIFY_CLIENT_ID</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">:</span><span class="dl">"</span> <span class="o">+</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SPOTIFY_CLIENT_SECRET</span> <span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">"</span><span class="s2">base64</span><span class="dl">"</span><span class="p">),</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="k">new</span> <span class="nc">URLSearchParams</span><span class="p">({</span> <span class="na">code</span><span class="p">:</span> <span class="nx">code</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SPOTIFY_REDIRECT_URI</span><span class="o">!</span><span class="p">,</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">"</span><span class="s2">authorization_code</span><span class="dl">"</span><span class="p">,</span> <span class="p">}).</span><span class="nf">toString</span><span class="p">(),</span> <span class="p">};</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">[https://accounts.spotify.com/api/token](https://accounts.spotify.com/api/token)</span><span class="dl">"</span><span class="p">,</span> <span class="nx">authOptions</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// 3. Securely store the tokens in Cookies 🍪</span> <span class="kd">const</span> <span class="nx">cookieStore</span> <span class="o">=</span> <span class="nf">cookies</span><span class="p">();</span> <span class="nx">cookieStore</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">spotify_access_token</span><span class="dl">"</span><span class="p">,</span> <span class="nx">data</span><span class="p">.</span><span class="nx">access_token</span><span class="p">,</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// Prevents JavaScript access (XSS protection)</span> <span class="na">secure</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">production</span><span class="dl">"</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">3600</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">"</span><span class="s2">/dashboard</span><span class="dl">"</span><span class="p">,</span> <span class="nx">request</span><span class="p">.</span><span class="nx">url</span><span class="p">));</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Internal Server Error</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">500</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> 🔒 Deep Dive: The Cookie Strategy </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F06gu7hqjuf5dw8xn9fhm.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F06gu7hqjuf5dw8xn9fhm.gif" alt="Code" width="480" height="360"></a><br> Why did we use <code>httpOnly: true</code>?</p> <p>If we stored the token in <code>localStorage</code>, a malicious chrome extension could steal the user's session. With <strong>HttpOnly cookies</strong>, the browser stores the cookie and attaches it to requests, but <strong>JavaScript cannot read it.</strong></p> <p><a href="http://googleusercontent.com/image_generation_content/3" rel="noopener noreferrer">http://googleusercontent.com/image_generation_content/3</a></p> <h2> 🚀 Testing The Flow </h2> <ol> <li> Run <code>npm run dev</code>.</li> <li> Click your login button.</li> <li> Accept the permissions on Spotify's side.</li> <li> Open your browser Developer Tools &gt; <strong>Application</strong> &gt; <strong>Cookies</strong>.</li> </ol> <p>You should see your secure token sitting there, ready for <strong>Part 2</strong>.</p> <h2> What's Next? </h2> <p>In <strong>Part 2</strong>, we will:</p> <ol> <li> Create the <code>/dashboard</code> page.</li> <li> Handle <strong>Token Refresh</strong> (keeping the user logged in).</li> <li> Transform raw JSON into beautiful charts.</li> </ol> <p><em>If you found this helpful, drop a comment or a reaction! I'm building this live, so follow along for the next update.</em></p> <p><strong>Some really cool YouTube videos</strong></p> <ol> <li><p><strong>Programming with Mosh</strong>. * <strong>Video:</strong> <a href="https://www.youtube.com/watch?v=pKd0Rpw7O48" rel="noopener noreferrer">How to build a REST API with Node js &amp; Express</a><br> <strong>Why it's great:</strong> A comprehensive 1-hour walkthrough on building a REST API from scratch.</p></li> <li><p><strong>Fireship</strong> <strong>Video:</strong> <a href="https://www.youtube.com/watch?v=-MTSQjw5DrM" rel="noopener noreferrer">RESTful APIs in 100 Seconds // Build an API from Scratch with Node.js Express</a> <strong>Why it's great:</strong> A fast-paced, high-level overview combined with a practical example.</p></li> <li><p><strong>Traversy Media</strong> <strong>Video:</strong> <a href="https://www.youtube.com/watch?v=-0exw-9YJBo" rel="noopener noreferrer">Learn The MERN Stack - Express &amp; MongoDB Rest API</a><br> <strong>Why it's great:</strong> A full crash course on building a backend API using the popular MERN stack (MongoDB, Express, React, Node).</p></li> <li><p><strong>Hussein Nasser</strong> <strong>Video:</strong> <a href="https://www.youtube.com/watch?v=Yw4rkaTc0f8" rel="noopener noreferrer">gRPC Crash Course - Modes, Examples, Pros &amp; Cons and more</a><br> <strong>Why it's great:</strong> An in-depth engineering look at gRPC, including its pros and cons compared to REST.</p></li> </ol> nextjs webdev tutorial security