SECURITY UPDATES RELATED TOPICS

[dasha-kobzeva]

Hi!

Thank you for taking action. This thread is created specifically to accommodate any questions/concerns regarding the security updates in Soundcloud API.

If you are on board and the timeline is working for you, please react to this message with an emoji of your choice. Otherwise, leave us a comment and we will get back to you shortly.

Thank you!

[dasha-kobzeva]

Will there be an Authentication using email and password. I use it to generate once a week private playlists, started via crontab.

Hi, no password grant was deprecated as it is insecure.

-- UPDATE -- (rahul-sc) See here for more context https://oauth.net/2/grant-types/password/

[billychasen]

Hello, we have at times 30 - 50 users all requesting to listen to the same public track. We currently request the stream api with consumer_key. Do we need to update anything with the new API changes?

[dasha-kobzeva]

Hello, we have at times 30 - 50 users all requesting to listen to the same public track. We currently request the stream API with consumer_key. Do we need to update anything with the new API changes?

Hi @billychasen, Consumer_key is a deprecated parameter.

It would be great if you could migrate to using the client_credentials flow and sending a token in the Authorization header. By the end of September, your requests will be failing with 401 otherwise.

[billychasen]

@dasha-kobzeva thank you. Can 30 clients all share the same access_token at the same time? Or do I need a token for each client? I understand they expire after 6 hours, but I'm more asking about a moment in time.

[dasha-kobzeva]

@dasha-kobzeva thank you. Can 30 clients all share the same access_token at the same time? Or do I need a token for each client? I understand they expire after 6 hours, but I'm more asking about a moment in time.

do you mean 30 users? If all of them are playing a track, for instance, from your app then authorizing your app is enough. So I believe 1 token is sufficient. In case the users want to access their resources on Soundcloud (/me endpoints ) or create a track, then for each user, you need a separate token.

Hope that answers your question.

[tfchristie]

Is this new security on api calls going to affect these embed codes where we will have to edit previous posts now housed in our data?

Difficult to answer as we have not tested nor optimized for this use case. My guess is that the impact is the same, iframe or not. The changes are pertaining to how your authorize your requests to the API.

It looks to me like perhaps you call your own api? The code is a copy pasta of the embed code supplied from the tracks we have uploaded to Soundcloud. An example being: <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/1103164642&color=%23ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe><div style="font-size: 10px; color: #cccccc;line-break: anywhere;word-break: normal;overflow: hidden;white-space: nowrap;text-overflow: ellipsis; font-family: Interstate,Lucida Grande,Lucida Sans Unicode,Lucida Sans,Garuda,Verdana,Tahoma,sans-serif;font-weight: 100;"><a href="https://soundcloud.com/wort-fm" title="WORT 89.9FM Madison" target="_blank" style="color: #cccccc; text-decoration: none;">WORT 89.9FM Madison</a> · <a href="https://soundcloud.com/wort-fm/20-is-plenty-program-launches-in-tenney-lapham-and-theresa-hammersley-neighborhoods" title="20 is Plenty Program Launches in Tenney-Lapham and Theresa-Hammersley Neighborhoods" target="_blank" style="color: #cccccc; text-decoration: none;">20 is Plenty Program Launches in Tenney-Lapham and Theresa-Hammersley Neighborhoods</a></div> So I guess I am just wondering if the embed code in the 'Sharing' ability is going to change.

[rahul-sc]

Is this new security on api calls going to affect these embed codes where we will have to edit previous posts now housed in our data?

Difficult to answer as we have not tested nor optimized for this use case. My guess is that the impact is the same, iframe or not. The changes are pertaining to how your authorize your requests to the API.

It looks to me like perhaps you call your own api? The code is a copy pasta of the embed code supplied from the tracks we have uploaded to Soundcloud. An example being: <iframe width="100%" height="166" scrolling="no" frameborder="no" allow="autoplay" src="https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/1103164642&color=%23ff5500&auto_play=false&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true"></iframe><div style="font-size: 10px; color: #cccccc;line-break: anywhere;word-break: normal;overflow: hidden;white-space: nowrap;text-overflow: ellipsis; font-family: Interstate,Lucida Grande,Lucida Sans Unicode,Lucida Sans,Garuda,Verdana,Tahoma,sans-serif;font-weight: 100;"><a href="https://soundcloud.com/wort-fm" title="WORT 89.9FM Madison" target="_blank" style="color: #cccccc; text-decoration: none;">WORT 89.9FM Madison</a> · <a href="https://soundcloud.com/wort-fm/20-is-plenty-program-launches-in-tenney-lapham-and-theresa-hammersley-neighborhoods" title="20 is Plenty Program Launches in Tenney-Lapham and Theresa-Hammersley Neighborhoods" target="_blank" style="color: #cccccc; text-decoration: none;">20 is Plenty Program Launches in Tenney-Lapham and Theresa-Hammersley Neighborhoods</a></div> So I guess I am just wondering if the embed code in the 'Sharing' ability is going to change.

Thanks for providing more context to your question and providing an example - that really helps.

Embed code for the widget player will work as expected. No disruption is anticipated here,.

[billychasen]

@dasha-kobzeva thank you. Can 30 clients all share the same access_token at the same time? Or do I need a token for each client? I understand they expire after 6 hours, but I'm more asking about a moment in time.

do you mean 30 users? If all of them are playing a track, for instance, from your app then authorizing your app is enough. So I believe 1 token is sufficient. In case the users want to access their resources on Soundcloud (/me endpoints ) or create a track, then for each user, you need a separate token.

Hope that answers your question.

Thanks, I'll first start implementing and come back if any questions.

[calzoneman]

Hi, How can I register an application in order to migrate to the new authorization? When I click the "Sign up for a new app" button on https://soundcloud.com/you/apps (which is linked to by the API documentation), I receive a notice that says "Due to the high amount of requests recently received, we will no longer be processing API application requests at this time. We are working to re-evaluate our process to make it more efficient." EDIT: I see your FAQ that you are not issuing new API keys. I have an existing application, but I need to revoke and recreate the credentials to support this migration. Is that something you are able to do if I reach out privately?

Hi. Please see FAQ section on how to "update redirect uri". You can use the same means to request for your changes. Lmk if that worked for you

Hi Rahul,

I submitted a ticket (case #1677423), however the rep seems to be confused and thinks that I am requesting a new API key (which isn't currently supported). Can you please help me clarify with support that I need my existing credentials to be regenerated?

[aproni34f]

"A request must contain the Authorization header. For details please refer to https://developers.soundcloud.com/blog/security-updates-api." means that your request was rejected as you are not providing the Authorization header.

Please update your system to use the Authorization header instead of client_id in a query. Let me know if it helps

Sorry but I dont quite understand. I was only accessing public tracks and playlists from user and played them. You can see the code on the link I left: https://www.interactivepixel.net/tst/ I would like to continue doing so without the need for user to go through Authenticating screen or similar. Does this mean its not possible to do this just with the use of javascript or php alone? On this page https://developers.soundcloud.com/docs/api/guide#authentication I can see this part: Authenticating without the SoundCloud Connect Screen . If I were to run this code I will get access_token and then what do I need to do in regards to my previous code?

Can you provide me with some snippet how to do this?

[dasha-kobzeva]

"A request must contain the Authorization header. For details please refer to https://developers.soundcloud.com/blog/security-updates-api." means that your request was rejected as you are not providing the Authorization header. Please update your system to use the Authorization header instead of client_id in a query. Let me know if it helps

Sorry but I dont quite understand. I was only accessing public tracks and playlists from user and played them. You can see the code on the link I left: https://www.interactivepixel.net/tst/ I would like to continue doing so without the need for user to go through Authenticating screen or similar. Does this mean its not possible to do this just with the use of javascript or php alone? On this page https://developers.soundcloud.com/docs/api/guide#authentication I can see this part: Authenticating without the SoundCloud Connect Screen . If I were to run this code I will get access_token and then what do I need to do in regards to my previous code?

Can you provide me with some snippet how to do this?

Hi @aproni34f, you are getting an error on /resolve endpoint because you are not authenticated.

You send a request to /resolve, providing client_id. When the resolution happens, you get a 302 response with the next URL to call, for instance, /users/some_id. That second call was stripped down from client_id, so our API treats it as unauthenticated.

Does it make sense?

To avoid such behaviour your call to /resolve must contain an Authorization header so that the redirect can also pick it up and give you a proper response back. You do not have to go through /connect to acquire a token for these calls. You can use client_credentials flow.

What it means is a call like the following:

$ curl -X POST "https://api.soundcloud.com/oauth2/token" \
     -H  "accept: application/json; charset=utf-8" \
     -H  "Content-Type: application/x-www-form-urlencoded" \
     --data-urlencode "grant_type=client_credentials" \
     --data-urlencode "client_id=YOUR_CLIENT_ID" \
     --data-urlencode "client_secret=YOUR_CLIENT_SECRET"

This will give you a token, that you place in a header "Authorization: OAuth TOKEN" and send with each request. Client_id in a query must be removed as it is not a valid way to authenticate anymore.

Be aware that the token expires every 6 hours. When that happens you can either get a new one again or use a refresh_token flow. In our API Guide, you can find more info on how-to.

Let me know if that answers your question.

[aproni34f]

And where do I place "Authorization: OAuth TOKEN" in relation to SC.get call?

[dasha-kobzeva]

And where do I place "Authorization: OAuth TOKEN" in relation to SC.get call?

oh, you are using the JS SDK. I see the problem now. SDK was not updated yet, so unfortunately it would not work at the moment.

I would suggest creating an extension to your JS app and calling /resolve directly.

[aproni34f]

Is there a complete snippet to all this? I guess I need client_credentials flow and a way to regenerate token, so user can listen music without interruption.

[dasha-kobzeva]

@aproni34f, I'm sorry I do not understand what you mean by a complete snippet? We provide an API guide describing the authentication process: https://developers.soundcloud.com/docs/api/guide#user-credentials

[aproni34f]

It means I dont know from your API guide how to do all this now. This is the code I used so far: https://paste.ofcode.org/37xhRb4zNKkMszzieGhRCUc

[javpet]

Thanks for opening the threads for questions! I got a bit puzzled with the information.

• I use the Javascript SDK on the client side, initialized with SC.initialize() by using the client_id only. This meant to access only public information from Soundcloud. Do I have to change this behavior for the new Authentication approach?

• On the server side I use the Soundcloud ruby gem, which I've realized becoming deprecated. What's your suggestion there to use instead there, for the new authentication?

Thanks for your help!

[dasha-kobzeva]

Thank you everyone for your questions and feedback!

As this thread became quite massive we are going to close it. To wrap it up here are some additional information and answers to outstanding questions:

[Q] I'm using one of the SDKs. How can I update my system for it to work with new security changes? [A] Due to limited capacities, we are not able to provide proper support for the SDKs, and it was decided to deprecate them. Currently, our main focus is on API itself.

• For both python and ruby SDKs, we are exploring to make them open source for the community to maintain and looking for maintainers. In case you are interested, please reach out to us in separate threads.
• For JS SDK, it is still not decided if we will continue maintaining it or deprecate. In both cases, we will let the community know. That said, JS SDK is not compliant with the recent changes at the moment. We understand this is not ideal and disruptive and working on a possible solution.

[Q] I'm only fetching public resources and providing client_id in the query. What do I have to change for it to work now? [A] Providing client_id is redundant and won't work by the end of September when the changes are 100% rolled out. You might get a 401 error from time to time already, meaning your request was capped and rejected. We ask you to start sending the Authorization header for each and any request and remove client_id from the query.

Soundcloud support 2 authorization flows (depending on your use case), you can find more in our guide: https://developers.soundcloud.com/docs/api/guide#authentication

Note: both flows are server-side. Unfortunately, there is not pure client-side auth at the moment.

In case of any issues, please create a separate ticket. We understand your frustration with some of these changes, but in order, for us to provide users better support and be able to open the app registration again, we have to make the access to Soundcloud more secure.

Thank you! Soundcloud Team

[FrazerJHogg]

Please could you confirm the rollout timeline for this change?

[testco-de]

• I use the Javascript SDK on the client side, initialized with SC.initialize() by using the client_id only. This meant to access only public information from Soundcloud. Do I have to change this behavior for the new Authentication approach?

I'd also like to know best practice here. Currently a public stream can be played via javascript by initializing with client_id and then calling SC.stream('/tracks/' + sourceid)

If we don't want to authorize the user, but still play the track, either we can proxy the stream with our server, which gets a token and then gets the stream. Or, do we get a token and send it with SC.initialize?

[dasha-kobzeva]

• I use the Javascript SDK on the client side, initialized with SC.initialize() by using the client_id only. This meant to access only public information from Soundcloud. Do I have to change this behavior for the new Authentication approach?

I'd also like to know best practice here. Currently a public stream can be played via javascript by initializing with client_id and then calling SC.stream('/tracks/' + sourceid)

If we don't want to authorize the user, but still play the track, either we can proxy the stream with our server, which gets a token and then gets the stream. Or, do we get a token and send it with SC.initialize?

Hi @turntablefm,

we have decided to not maintain the JS SDK anymore and with the recent changes, I believe it won't be working as expected. We are looking for maintainers at this point, who are interested to make it compliant with new auth.

Otherwise, we suggest implementing our REST API.

P.S. please for future enquiries create a separate ticket.

[vsiv]

Hi @dasha-kobzeva team,

Our developer app seems to have been deleted automatically! Any ideas on how to get it restored? It is affecting our app customers.

thanks!

[dasha-kobzeva]

Hi @dasha-kobzeva team,

Our developer app seems to have been deleted automatically! Any ideas on how to get it restored? It is affecting our app customers.

thanks!

hello @vsiv , could you please create a separate ticket and provide all the relative information about your app, so we can investigate what happened. Thank you

[michaelmakar]

My application was disrupted by the change. I need more time to update