Two questions:

Question 1.

We need to manage 4 playlists of a Spotify user from our back-end (PHP) (without user login). Visitors of our website can submit multiple of their favorite songs to our websites. Based on that, we create and manage 4 playlists which contain the ‘top most submitted songs’. We want to automate this process from our PHP back-end without the need of manually managing the playlist day to day for a period of multiple months. We would like to use the Spotify API for this, but a user access token is needed to access and manage user playlists. We created a proof of concept, which “simulates a browser with PHP”. We log in, retrieve an authentication token, request an access token with the authentication token and then perform the necessary API calls – all without user intervention. This method works, but we suspect and know this isn’t 100% the way to go :). We’re not after abuse of the API or whatsoever, but how can we periodically automated manage these 4 user playlists if this isn’t the right way? Please note our back-end is Apache – PHP based. We could also use NodeJS, but then again, this isn’t the way to go either.

Question 2.

Users submit songs to our website. When the user types in the search field (song title / artist name), after one second we perform an ajax call to the Spotify API and show the search results based on the input. Taking into account the amount of visitors expected on the website, this might cause a lot of traffic to the API. The docs (https://developer.spotify.com/web-api/user-guide/#rate-limiting) aren’t very clear on the applied rate limits. Is it possible to give us a better indication of these rate limits since we want to prevent this from crippling our website?

Thanks in advance.

Question 1

If you want to create playlists in a certain user's library you need to that user to grant those permissions to your app.

In your case, you would implement the Authorization Code flow to obtain both refresh and access tokens.

Store the obtained access token and refresh token, use the access token to perform the requests, and renew the access token whenever it expires using the refresh token.

If you are going to manage those playlists in a user you own, then there is no need to show any login form to users. Log in once, and use the fetched tokens in a script that will periodically make changes in your user's playlists.

Question 2

The limits are not specified on the Spotify Developer site at the moment, but they API should be able to handle your search requests. If you want to be extra-safe, authenticate your requests so they are limited by client_id basis. To obtain a token like this, that doesn't contain any user's information, you can use Client Credentials flow.