SECURITY UPDATES RELATED TOPICS

[dasha-kobzeva]

Hi!

Thank you for taking action. This thread is created specifically to accommodate any questions/concerns regarding the security updates in Soundcloud API.

If you are on board and the timeline is working for you, please react to this message with an emoji of your choice. Otherwise, leave us a comment and we will get back to you shortly.

Thank you!

[softworkz]

I had used the API a while ago, but then it happened that the amount of playable (via MP3 streaming) items suddenly decreased without indication which ones would be playable and which wouldn't. A "workaround" was to load an html page and grab a specific ID from that page. This allowed to play most items for a while, but eventually that stopped working well and finally turned me into giving up the project (plugin for a Media Server application).

After the introduction of those commercial announcements, I had even stopped using SC privately.

Now that those commercials appear to be history, I wanted to ask about the current status of the API:

What's playable via API streaming and what is not? Specifically, when logging into the API with a user's credentials (or auth token), will it be possible to retrieve the streams (for live streaming) for all the same tracks that a user can play when accessing SC from a browser?

Thanks, sw

[dasha-kobzeva]

I had used the API a while ago, but then it happened that the amount of playable (via MP3 streaming) items suddenly decreased without indication which ones would be playable and which wouldn't. A "workaround" was to load an html page and grab a specific ID from that page. This allowed to play most items for a while, but eventually that stopped working well and finally turned me into giving up the project (plugin for a Media Server application).

After the introduction of those commercial announcements, I had even stopped using SC privately.

Now that those commercials appear to be history, I wanted to ask about the current status of the API:

What's playable via API streaming and what is not? Specifically, when logging into the API with a user's credentials (or auth token), will it be possible to retrieve the streams (for live streaming) for all the same tracks that a user can play when accessing SC from a browser?

Thanks, sw

Hi @softworkz,

thank you for your question. I believe this blog post might be quite useful and can answer your question regarding what content you can stream off-platform: https://developers.soundcloud.com/blog/high-tier-content-in-the-soundcloud-api

[HypeTunes]

Really glad to see that there is work being done with the API. In the documentation it states that you aren’t really going to support any updates. Since it looks like that’s not the case, can you provide details on when we will be able to make changes to our callback URLs? Currently, we are unable to make these changes. Thank you.

[dasha-kobzeva]

Really glad to see that there is work being done with the API. In the documentation it states that you aren’t really going to support any updates. Since it looks like that’s not the case, can you provide details on when we will be able to make changes to our callback URLs? Currently, we are unable to make these changes. Thank you.

Hi @HypeTunes, currently, we cannot give you an update on this matter. If you want to update the callback URL for your app, please create a separate ticket and we can help you with that.

[softworkz]

I had used the API a while ago, but then it happened that the amount of playable (via MP3 streaming) items suddenly decreased without indication which ones would be playable and which wouldn't. A "workaround" was to load an html page and grab a specific ID from that page. This allowed to play most items for a while, but eventually that stopped working well and finally turned me into giving up the project (plugin for a Media Server application). After the introduction of those commercial announcements, I had even stopped using SC privately. Now that those commercials appear to be history, I wanted to ask about the current status of the API: What's playable via API streaming and what is not? Specifically, when logging into the API with a user's credentials (or auth token), will it be possible to retrieve the streams (for live streaming) for all the same tracks that a user can play when accessing SC from a browser? Thanks, sw

Hi @softworkz,

thank you for your question. I believe this blog post might be quite useful and can answer your question regarding what content you can stream off-platform: https://developers.soundcloud.com/blog/high-tier-content-in-the-soundcloud-api

Hi @dasha-kobzeva, thanks a lot for your reply. The blog entry sounds promising as it fills a long outstanding gap. The blog is talking about Go+ content. How about Non-Go+ content? Is it possible to stream all non-Go+ content via API?` sw

[dasha-kobzeva]

@softworkz as long as there are no track-specific restrictions, non-go+ content is allowed for streaming through the API.

[tfchristie]

Hopefully a quick question - The only call to api.soundcloud.com we make is from your iframe embed codes supplied over the years which we include in our web posts as the audio portion of the post (we are a radio station so the audio portion is the most important part of said posts). Is this new security on api calls going to affect these embed codes where we will have to edit previous posts now housed in our data? Thanks for any clarification! Thom

[calzoneman]

Hi,

My use case is to allow users to add items (which could be from YouTube, Soundcloud, or somewhere else) to a shared playlist, which then has synchronized playback among viewers.

To support Soundcloud, when a user enters a Soundcloud permalink, I issue a request from my server to the /resolve endpoint (following the redirect) in order to retrieve metadata such as the title and duration of the track. This is authenticated with my application's client_id -- I have no use case for authenticating users with specific Soundcloud accounts (as I mentioned, these are being added to shared playlists).

Please correct me if I missed something, but the API docs seem to all be authenticated based on specific users, i.e., OAuth must be used to present a user with a "log in with Soundcloud" page and then use the resulting token to make requests on behalf of that user. I have no use case for this, I just need to authenticate my application to access the /resolve endpoint.

Please advise.

[zabatonni]

I'm using server side implementation using grant_type=client_credentials, but returned token is not working for furhter API requests. I always get error 401. Could you please help me?

[dasha-kobzeva]

Hi,

My use case is to allow users to add items (which could be from YouTube, Soundcloud, or somewhere else) to a shared playlist, which then has synchronized playback among viewers.

To support Soundcloud, when a user enters a Soundcloud permalink, I issue a request from my server to the /resolve endpoint (following the redirect) in order to retrieve metadata such as the title and duration of the track. This is authenticated with my application's client_id -- I have no use case for authenticating users with specific Soundcloud accounts (as I mentioned, these are being added to shared playlists).

Please correct me if I missed something, but the API docs seem to all be authenticated based on specific users, i.e., OAuth must be used to present a user with a "log in with Soundcloud" page and then use the resulting token to make requests on behalf of that user. I have no use case for this, I just need to authenticate my application to access the /resolve endpoint.

Please advise.

HI @calzoneman,

for your use case, you can use the client_credentials flow, where you only need to provide client_id/secret. Please refer to https://developers.soundcloud.com/docs/api/guide#user-credentials for more details.

[dasha-kobzeva]

I'm using server side implementation using grant_type=client_credentials, but returned token is not working for furhter API requests. I always get error 401. Could you please help me?

Hi @zabatonni, Could you please provide examples of what endpoints are you trying to call?

[zabatonni]

I'm using server side implementation using grant_type=client_credentials, but returned token is not working for furhter API requests. I always get error 401. Could you please help me?

Hi @zabatonni, Could you please provide examples of what endpoints are you trying to call?

https://api.soundcloud.com/me/tracks?limit=1

resulting in:

{
    "code": 401,
    "message": "",
    "link": "https://developers.soundcloud.com/docs/api/explorer/open-api",
    "status": "401 - Unauthorized",
    "errors": [],
    "error": null
}

[dasha-kobzeva]

I'm using server side implementation using grant_type=client_credentials, but returned token is not working for furhter API requests. I always get error 401. Could you please help me?

Hi @zabatonni, Could you please provide examples of what endpoints are you trying to call?

https://api.soundcloud.com/me/tracks?limit=1

resulting in:

{
    "code": 401,
    "message": "",
    "link": "https://developers.soundcloud.com/docs/api/explorer/open-api",
    "status": "401 - Unauthorized",
    "errors": [],
    "error": null
}

@zabatonni,

you are trying to access a user's resource which requires a user session. /me endpoints are resolved to a current user. grant_type=client_credentials is not sufficient in this case, and you have to use grant_type=authorization_code.

Guide: https://developers.soundcloud.com/docs/api/guide#server-side

Best,

[zabatonni]

I'm using server side implementation using grant_type=client_credentials, but returned token is not working for furhter API requests. I always get error 401. Could you please help me?

Hi @zabatonni, Could you please provide examples of what endpoints are you trying to call?

https://api.soundcloud.com/me/tracks?limit=1 resulting in:

{
    "code": 401,
    "message": "",
    "link": "https://developers.soundcloud.com/docs/api/explorer/open-api",
    "status": "401 - Unauthorized",
    "errors": [],
    "error": null
}

@zabatonni,

you are trying to access a user's resource which requires a user session. /me endpoints are resolved to a current user. grant_type=client_credentials is not sufficient in this case, and you have to use grant_type=authorization_code.

Guide: https://developers.soundcloud.com/docs/api/guide#server-side

Best,

next one is PUT https://api.soundcloud.com/playlists/{PLAYLIST_ID} with same 401 error. I have set Authorization header with token

[dasha-kobzeva]

I'm using server side implementation using grant_type=client_credentials, but returned token is not working for furhter API requests. I always get error 401. Could you please help me?

Hi @zabatonni, Could you please provide examples of what endpoints are you trying to call?

https://api.soundcloud.com/me/tracks?limit=1 resulting in:

{
    "code": 401,
    "message": "",
    "link": "https://developers.soundcloud.com/docs/api/explorer/open-api",
    "status": "401 - Unauthorized",
    "errors": [],
    "error": null
}

@zabatonni, you are trying to access a user's resource which requires a user session. /me endpoints are resolved to a current user. grant_type=client_credentials is not sufficient in this case, and you have to use grant_type=authorization_code. Guide: https://developers.soundcloud.com/docs/api/guide#server-side Best,

next one is PUT https://api.soundcloud.com/playlists/{PLAYLIST_ID} with same 401 error. I have set Authorization header with token

@zabatonni have you acquired the token through authorization code flow?

[zabatonni]

I'm using server side implementation using grant_type=client_credentials, but returned token is not working for furhter API requests. I always get error 401. Could you please help me?

Hi @zabatonni, Could you please provide examples of what endpoints are you trying to call?

https://api.soundcloud.com/me/tracks?limit=1 resulting in:

{
    "code": 401,
    "message": "",
    "link": "https://developers.soundcloud.com/docs/api/explorer/open-api",
    "status": "401 - Unauthorized",
    "errors": [],
    "error": null
}

@zabatonni, you are trying to access a user's resource which requires a user session. /me endpoints are resolved to a current user. grant_type=client_credentials is not sufficient in this case, and you have to use grant_type=authorization_code. Guide: https://developers.soundcloud.com/docs/api/guide#server-side Best,

next one is PUT https://api.soundcloud.com/playlists/{PLAYLIST_ID} with same 401 error. I have set Authorization header with token

@zabatonni have you acquired the token through authorization code flow?

nope, it's pure server script used for automation of uploading sounds and putting them in correct playlists. Code flow is not doable server-side only.

[dasha-kobzeva]

@zabatonni, our API does not allow track upload without associating a user session to it. The track has to belong to someone, the same way as the playlist.

When you are using SoundCloud you are logging in to create/edit playlists or tracks. API works exactly the same, so a logged-in user is expected.

Hope this answers your question. Best,

[zabatonni]

@zabatonni, our API does not allow track upload without associating a user session to it. The track has to belong to someone, the same way as the playlist.

When you are using SoundCloud you are logging in to create/edit playlists or tracks. API works exactly the same, so a logged-in user is expected.

Hope this answers your question. Best,

I've tried obtaining token using code flow, but our application has not redirect_uri set up and is not editable. So I'm stuck with this issue.

[dasha-kobzeva]

@zabatonni, our API does not allow track upload without associating a user session to it. The track has to belong to someone, the same way as the playlist. When you are using SoundCloud you are logging in to create/edit playlists or tracks. API works exactly the same, so a logged-in user is expected. Hope this answers your question. Best,

I've tried obtaining token using code flow, but our application has not redirect_uri set up and is not editable. So I'm stuck with this issue.

please refer to our readme https://github.com/soundcloud/api#how-can-i-update-my-apps-redirect_uri to update the app's data.

[jesshmusic]

I really need to update this, but my registered app disappeared from the developer dashboard and I am unable to sign up for a new one. Who do I contact to resolve this?

[dasha-kobzeva]

I really need to update this, but my registered app disappeared from the developer dashboard and I am unable to sign up for a new one. Who do I contact to resolve this?

Hi @jesshmusic , Your credentials might have been revoked. PLease create a new ticket and provide your client_id. We will reinstate your app.

[lijon]

I'm using the official (but abandoned?) SoundCloud iOS SDK in one of my apps to allow musicians to upload their tracks. Will this change break it? Anyone know of an updated iOS SDK or a simpler way of uploading a track directly from within an app?

[rahul-sc]

I'm using the official (but abandoned?) SoundCloud iOS SDK in one of my apps to allow musicians to upload their tracks. Will this change break it? Anyone know of an updated iOS SDK or a simpler way of uploading a track directly from within an app?

Hello. We're not maintaining any of the SDKs, unfortunately. My recommendation is to use the API directly. The examples and spec are outlined here https://developers.soundcloud.com/docs/api/explorer/open-api#/tracks/post_tracks

Hope this helps :)

[lijon]

I'm using the official (but abandoned?) SoundCloud iOS SDK in one of my apps to allow musicians to upload their tracks. Will this change break it? Anyone know of an updated iOS SDK or a simpler way of uploading a track directly from within an app?

Hello. We're not maintaining any of the SDKs, unfortunately. My recommendation is to use the API directly. The examples and spec are outlined here https://developers.soundcloud.com/docs/api/explorer/open-api#/tracks/post_tracks

Hope this helps :)

Yes, I understand that would be the best approach. Unfortunately I don't have the time to rewrite that part of my app before the API changes occur. My plan is to remove the feature in the future, since one can now upload a track directly in the SoundCloud app (and my own app provides a FileProvider plugin so it can pick a file from it)

[rahul-sc]

I'm using the official (but abandoned?) SoundCloud iOS SDK in one of my apps to allow musicians to upload their tracks. Will this change break it? Anyone know of an updated iOS SDK or a simpler way of uploading a track directly from within an app?

Hello. We're not maintaining any of the SDKs, unfortunately. My recommendation is to use the API directly. The examples and spec are outlined here https://developers.soundcloud.com/docs/api/explorer/open-api#/tracks/post_tracks Hope this helps :)

Yes, I understand that would be the best approach. Unfortunately I don't have the time to rewrite that part of my app before the API changes occur. My plan is to remove the feature in the future, since one can now upload a track directly in the SoundCloud app (and my own app provides a FileProvider plugin so it can pick a file from it)

While we have not actively roadmapped this, we're considering adding a share extension to our mobile upload experience. That way other apps can leverage th upload flow by simply redirecting the user to SC app. I'm not sure if that would be useful to you but if it does, please do make a feature request :)

[egm0121]

Hello! My question is whether/when will the api.soundcould.com/track/{tid}/stream endpoint stop working when only providing a client_id?

I cannot find any timeline regarding these breaking changes… it’s now August and the legacy approach seems to be working still, but for how long?

Thanks for your help

[calzoneman]

Hi,

How can I register an application in order to migrate to the new authorization? When I click the "Sign up for a new app" button on https://soundcloud.com/you/apps (which is linked to by the API documentation), I receive a notice that says "Due to the high amount of requests recently received, we will no longer be processing API application requests at this time. We are working to re-evaluate our process to make it more efficient."

EDIT: I see your FAQ that you are not issuing new API keys. I have an existing application, but I need to revoke and recreate the credentials to support this migration. Is that something you are able to do if I reach out privately?

[mkbrv]

Hi,

We have a client side javascript implementation where we call the following endpoint: http://api.soundcloud.com/tracks/${soundId}?secret_token=${secretToken}

I don't see any references to a secret_token in the announcement. Would this impact us? I also don't see a secret_token in the documentation: https://developers.soundcloud.com/docs/api/sdks#javascript So this is a bit concerning to us.

Thank you

[rahul-sc]

Hello! My question is whether/when will the api.soundcould.com/track/{tid}/stream endpoint stop working when only providing a client_id?

I cannot find any timeline regarding these breaking changes… it’s now August and the legacy approach seems to be working still, but for how long?

Thanks for your help

Hello! We're aiming for end of september now given that we heard back from our community and we'll keep watching this space. We really need the community's help to secure the API integrations so we can offer more capabilities in the future.

[rahul-sc]

Hi,

How can I register an application in order to migrate to the new authorization? When I click the "Sign up for a new app" button on https://soundcloud.com/you/apps (which is linked to by the API documentation), I receive a notice that says "Due to the high amount of requests recently received, we will no longer be processing API application requests at this time. We are working to re-evaluate our process to make it more efficient."

EDIT: I see your FAQ that you are not issuing new API keys. I have an existing application, but I need to revoke and recreate the credentials to support this migration. Is that something you are able to do if I reach out privately?

Hi. Please see FAQ section on how to "update redirect uri". You can use the same means to request for your changes. Lmk if that worked for you

[rahul-sc]

Hi,

We have a client side javascript implementation where we call the following endpoint: http://api.soundcloud.com/tracks/${soundId}?secret_token=${secretToken}

I don't see any references to a secret_token in the announcement. Would this impact us? I also don't see a secret_token in the documentation: https://developers.soundcloud.com/docs/api/sdks#javascript So this is a bit concerning to us.

Thank you

Secret token is for accessing a user's private tracks. Since you're doing user-related actions, I can assume that you're already passing an Authenticatin header in your requests. Meaning, that this interaction would be fine.

[JoeGermuska]

I've read through the blog post and can't find any references to the use-case I need to support, which is streaming playback. Is this feature (as documented here) part of the changes which are coming?

The email which was sent says:

Deprecation of client_id and the requirement to provide an Authorization header for each request is the biggest update.

We use client_id in the SC.initialize step, but are only playing public audio files, so don't think that any kind of authorization would apply, unless you're really locking down streaming.

[rahul-sc]

I've read through the blog post and can't find any references to the use-case I need to support, which is streaming playback. Is this feature (as documented here) part of the changes which are coming?

The email which was sent says:

Deprecation of client_id and the requirement to provide an Authorization header for each request is the biggest update.

We use client_id in the SC.initialize step, but are only playing public audio files, so don't think that any kind of authorization would apply, unless you're really locking down streaming.

Hey, Joe. I believe when you initialize with the JS SDK and you perform a "authorization_code" flow, you will be acquiring an access token that is used for the Authorization Header. My suspicion is that it won't be affected by this change. See the line below. You need to make sure that the OAuth token is set in the config https://github.com/soundcloud/soundcloud-javascript/blob/master/src/stream.js#L43

Also, please note, we're not actively maintaining these SDKs and will be looking for OSS maintainers rather soon. We're devoting most of our efforts towards the API itself.

[emanco]

I've read through the blog post and can't find any references to the use-case I need to support, which is streaming playback. Is this feature (as documented here) part of the changes which are coming?

The email which was sent says:

Deprecation of client_id and the requirement to provide an Authorization header for each request is the biggest update.

We use client_id in the SC.initialize step, but are only playing public audio files, so don't think that any kind of authorization would apply, unless you're really locking down streaming.

We're in the same boat. Are we supposed to take any action to carry on supporting our audio players? We're currently streaming just public audio files and have been using the client_id inside the SC.initialize function for years with no problems. Does this change affect the JS SDK at all? 🤔

[aproni34f]

I have the same question. I have been using SC.initialize with client_id before and getting public user tracks with https://api.soundcloud.com/resolve.json?url='+SOUNDCLOUD_URL+'&client_id='+CLIENT_ID; So this method will not work any more?

[Overload119]

It looks like https://github.com/soundcloud/soundcloud-ruby was not updated with this change so my API broke and there's no easy upgrade path outside of rolling your own client (which I'm looking at doing now).

[remover]

I have the same question. I have been using SC.initialize with client_id before and getting public user tracks with https://api.soundcloud.com/resolve.json?url='+SOUNDCLOUD_URL+'&client_id='+CLIENT_ID; So this method will not work any more?

@aproni34f This should be working. Could you please verify? 🙏

[dasha-kobzeva]

It looks like https://github.com/soundcloud/soundcloud-ruby was not updated with this change so my API broke and there's no easy upgrade path outside of rolling your own client (which I'm looking at doing now).

Hi @Overload119, due to our limited capacity at the moment it was decided to discontinue support of Ruby and Python SDKs. We are still exploring the possibility to make it open-source for the community to support, or deprecate completely. in case no one is interested. Would you be open to supporting it in the future?

[rdbsf]

hello, ive followed the doc https://developers.soundcloud.com/blog/security-updates-api and using postman i was able to get an access_token and refresh_token however im not able to use the access_token successfully.

calling https://api.soundcloud.com/me/tracks?limit=1 or any api endpoint

{
    "code": 401,
    "message": "",
    "link": "https://developers.soundcloud.com/docs/api/explorer/open-api",
    "status": "401 - Unauthorized",
    "errors": [],
    "error": null
}

ive also tried and seen an error using open api directly here https://developers.soundcloud.com/docs/api/explorer/open-api

TypeError: Failed to fetch

[dasha-kobzeva]

hello, ive followed the doc https://developers.soundcloud.com/blog/security-updates-api and using postman i was able to get an access_token and refresh_token however im not able to use the access_token successfully.

calling https://api.soundcloud.com/me/tracks?limit=1 or any api endpoint

{
    "code": 401,
    "message": "",
    "link": "https://developers.soundcloud.com/docs/api/explorer/open-api",
    "status": "401 - Unauthorized",
    "errors": [],
    "error": null
}

ive also tried and seen an error using open api directly here https://developers.soundcloud.com/docs/api/explorer/open-api

TypeError: Failed to fetch

Hi @rdbsf,

Have you used the authorization_code flow to acquire the token? And do you send it with a request in an Authorization header?

[rdbsf]

@dasha-kobzeva im using grant_type client_credentials to get the token and in the Request header Authorization: OAuth <token>

ah ok sorry that explains why /me is not working in that case.

[rahul-sc]

Hopefully a quick question - The only call to api.soundcloud.com we make is from your iframe embed codes supplied over the years which we include in our web posts as the audio portion of the post (we are a radio station so the audio portion is the most important part of said posts). Is this new security on api calls going to affect these embed codes where we will have to edit previous posts now housed in our data? Thanks for any clarification! Thom

Difficult to answer as we have not tested nor optimized for this use case. My guess is that the impact is the same, iframe or not. The changes are pertaining to how your authorize your requests to the API.

[aproni34f]

I have the same question. I have been using SC.initialize with client_id before and getting public user tracks with https://api.soundcloud.com/resolve.json?url='+SOUNDCLOUD_URL+'&client_id='+CLIENT_ID; So this method will not work any more?

@aproni34f This should be working. Could you please verify? 🙏

This used to work until recently, but now its throwing CORS error and I havent changed anything.

Access to XMLHttpRequest at 'https://api.soundcloud.com/users/8928131' (redirected from 'https://api.soundcloud.com/resolve.json?url=https%3A%2F%2Fsoundcloud.com%2Fkatermukke%2Ftracks&client_id=CLIENT_ID&limit=999999999&linked_partitioning=1&format=json&_status_code_map[302]=200') from origin 'http://localhost' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

[dasha-kobzeva]

HI @aproni34f, we rolled out another fix, could you try again and let me know if you are still seeing the issue?

[aproni34f]

Sorry, the error is different now, please check this page, it includes this request.

"A request must contain the Authorization header. For details please refer to https://developers.soundcloud.com/blog/security-updates-api."

https://www.interactivepixel.net/tst/

You can see the code in source page and the error in console.

[dasha-kobzeva]

"A request must contain the Authorization header. For details please refer to https://developers.soundcloud.com/blog/security-updates-api." means that your request was rejected as you are not providing the Authorization header.

Please update your system to use the Authorization header instead of client_id in a query. Let me know if it helps

[aproni34f]

Ok, but my other problem is I used to had Soundcloud api application however now its gone. My user id is https://soundcloud.com/user7527563. Can you check my account and see if you can re-enable my previous app? I can provide more details if necessary.

[dasha-kobzeva]

Ok, but my other problem is I used to had Soundcloud api application however now its gone. My user id is https://soundcloud.com/user7527563. Can you check my account and see if you can re-enable my previous app? I can provide more details if necessary.

To re-enable the app/ update any details please refer to this section in our README.

[aproni34f]

Ok, I have send the message 5 days ago, I will wait for reply. My ticket is #1672526

[MiguSchweiz]

Will there be an Authentication using email and password. I use it to generate once a week private playlists, started via crontab.