5

I'm working on integrating Apple Music into my web app. I let users authenticate once, using Apple's MusicKit JS. However, I'm curious if the resulting Music User Token expires. I'm storing this token in a database, but I need to know if I can use this token again at a later date without having the user authenticate again.

This question seems to be semi-related.

Thanks!

Niels Kersic
  • 830
  • 1
  • 9
  • 24

2 Answers2

4

After taking a cursory look around, I've found two different questions in the Apple developer forums suggesting that there is a non-configurable 6-month expiration of these tokens. One of these posts was answered by an Apple Media Engineer 2 months ago, which seems about as authoritative a source as you can get outside of documentation.

Forum entry #1: How to set music user token expiration?

Question:

I would like to create presave feature on my app with Apple Music API. On this article, developer token has an option to set expiration date but music user token don't. Does music user token has an option to set expiration date? If not, how do I know expiration date on music user token?

Answer (from an Apple Media Engineer, 2 months ago):

Thanks for your question regarding Media User Token expiration.

The Media User Token expires after 6 months, currently. There is no way to configure this by the developer.

Forum entry #2: When does a Music User token expire?

Question:

After how much time does a Music User token expire? For my use case I am unable to reauth the user using MusicKit JS, so I would like to know how long I can use the User token.

Answer (from a user, 1 year ago):

The expiration is 6 months currently

B. Fleming
  • 7,170
  • 1
  • 18
  • 36
3

I've been trying to figure this out as well. I just made a call to create a playlist on behalf of a user and received a 403. Unfortunately, I don't know how long the token has been sitting stale, but I do think it has been close to 1 - 2 months...

The other issue here is you have to re-prompt the user to sign in (as I don't think there is a refresh token endpoint). Maybe we can find a solution together on this!

Dharman
  • 30,962
  • 25
  • 85
  • 135
adilanchian
  • 31
  • 3
  • Just as a follow up here, I think I am going to keep a look out for this 403 response again, log the timestamp and then prompt user to re-auth with UI – adilanchian Jul 17 '20 at 15:23
  • How long is your Developer token valid? Did you create one for the full 6 monhts? Someone else suggested that the User tokens would be valid for the same amount of time as the Deceloper tokens, since they likely use the Developer token to sign the User token, but I'm not so sure about that. Also, my issue is that I have functionality where I can't let people reauth (presave campaign) so it would be a shame if in the end I couldn't save the music to their libraries – Niels Kersic Jul 19 '20 at 06:47
  • Ya great question. So the way I have my flow setup is the following: 1. Generate Apple Developer Token with a lifespan of 6 months 2. Store token in DB and every time I a new Apple Music Token is needed, check to see if the Apple Developer Token is expired and if so, refresh it 3. Get Apple Music Token and use it The biggest problem I see here is you can't re-auth a user without going through some UI in MusicKit JS from what I can tell... Honestly, might make sense to file a radar on this. – adilanchian Jul 20 '20 at 16:14
  • Yeah, reauthentication always needs to go through MusicKit. There are no refresh tokens or similar. If the User token expiration is indeed based on the expiration of the Developer token, it would make sense that some of your User tokens last longer than others. For my use case, I generate a new Developer token every time I need to create a MusicKit instance for a new user. If my theory is correct, this would mean my User tokens are always valid for 6 months. – Niels Kersic Jul 20 '20 at 16:23
  • I definitely think you may be onto something here. It still doesn't explain why I received a 403 earlier, but maybe it wasn't in relation to the Music User Token at all. I think a good test here could be creating an Apple Developer Token that only lasts a short amount of time and test to see the Apple Music Token stops working at that point I'm also curious why you decided to mint a new Developer token for every new user? Do you trash the older Developer token or you keep track of each Developer token per user? – adilanchian Jul 20 '20 at 17:22
  • A User token does not need to be used with the _exact_ Developer token that it was created with. Therefore it would indeed be interesting to create a User token with a Developer token that is only briefly valid and then seeing if the User token is usable after this period with a new Developer token. – Niels Kersic Jul 20 '20 at 20:35
  • Okay, I tested the theory by creating a Developer Token that was valid for 120 seconds and I used that one to create a User token. This was about 12 hours ago and I'm still getting valid responses with that User token (with a new Developer token), so I'm officially out of ideas. @adilanchian – Niels Kersic Jul 21 '20 at 10:27
  • 1
    Did you guys find any documentation/conclusion about the longevity of the user token? – Florian May 22 '21 at 08:38