Spotify Connoisseur
Trust & transparency

Your keys, your library, encrypted.

Connoisseur asks for a Spotify Client ID and Client Secret. That sounds scary — so here's exactly why we need them, what they can and can't do, and how we protect them.

The short version
Spotify caps shared apps at 5 users. We can't onboard everyone through one app.
Your app fits you + 4 friends — those 4 sign in normally and don't need to create their own Spotify app.
Creating a Spotify developer app requires a Spotify Premium account (or higher). Free accounts can't access developer.spotify.com.
Your Client ID + Secret only let an app identify itself to Spotify. They are not your Spotify password.
We encrypt your Client Secret with AES-256-GCM before it touches the database. Nobody (including us) reads it in plain text after you save it.

Why Spotify forces this

On November 27, 2024, Spotify changed the rules for every new third-party app. New apps start in something called Development Mode with a hard ceiling of 5 listed users. To go beyond that, an app has to apply for "Extended Quota Mode" — and Spotify almost never approves hobby or open-source projects.

In practice that means a single shared Connoisseur app could only ever serve 5 people worldwide. The only sustainable design is the one you're using: each person spins up their own free developer app (it takes about 5 minutes) and pastes the credentials in. You stay under your own 5-user cap — which, since it's just you (plus a few friends — see below), is more than enough.

Heads up: creating a Spotify developer app requires a Spotify Premium account (or higher). Free Spotify accounts can't sign in to developer.spotify.com.

Bring up to 4 friends — no setup for them

Your 5-user cap isn't just for you. It's you + 4 additional Spotify accounts. Those 4 guests do not need to create their own Spotify developer app, and they do not need Spotify Premium — they can be on any Spotify tier, including Free.

To invite someone, add their Spotify account email to your app's user list (the wizard walks you through it in the "Add user" step, and you can manage it later in Settings → Spotify app). They then just sign in to Connoisseur with Spotify like normal.

Want to share with a 6th person? They'd spin up their own free app — the same 5-minute flow you went through — and they'd get their own pool of 4 guests on top.

What we ask for — and what we don't

Client ID
A public identifier for your app. Think of it like a username. Safe to share — it even appears in browser URLs during sign-in.
Client Secret
Sensitive. Acts like a password for your app, letting it request tokens. We treat it accordingly — see the encryption section below.

We never ask for and never receive:

  • • Your Spotify account password.
  • • The ability to post, follow, or change account settings on your behalf.
  • • Any payment information.

When you connect, Spotify shows you the exact permissions ("scopes") we request — read your liked songs, read your playlists, and modify playlists that we create. You can revoke them anytime from your Spotify account settings.

How we protect your Client Secret

  • Encrypted at rest. Before your Client Secret is written to the database, it's encrypted with AES-256-GCM — the same family of cipher used by HTTPS and banks.
  • Key kept server-side only. The encryption key lives as a server secret. It's never bundled into the browser, never committed to source code, and never logged.
  • One-way to the browser. Once saved, your secret is only decrypted server-side, briefly, to make a request to Spotify. The plain-text value never travels back to your browser.
  • Yours to delete. You can rotate or remove your credentials anytime from Settings → Spotify app. Deleting your account wipes them entirely.
  • Bot-protected. The form that accepts your credentials is guarded by reCAPTCHA v3 to keep automated scrapers out.

Frequently asked

Ready when you are.

Start the 5-minute setup Back to home