consumer_key no longer supported?

[Keeper-of-the-Keys]

Title: consumer_key no longer supported?

Issue found of: September 20th, 2020

It looks like you have seriously overhauled the API and access to it and and I'm unclear if apps like gPodder (a podcast client) are still supported in this model since an OAuth token is inherently bound to a user and not an application.

At the moment all API requests that I attempt to run return 401, from a quick look at the API docs it also looks like they are to your old API, example:

https://api.soundcloud.com/users.json?q=%22Medic%20Mindset%22&consumer_key=[GPODDER_KEY]

For a while it was actually returning real data and 401s at random (I assume depending on which server it was being load-balanced to) but now it seems to always be 401.

So can things still work by moving the consumer_key to an authentication header or is this no longer supported in any way?
Is the SC API supposed to only be accessed by registered SC users from now on?

Thanks!

[dasha-kobzeva]

Hi @Keeper-of-the-Keys ,

Please refer to our blog post regarding the security updates: https://developers.soundcloud.com/blog/security-updates-api

Also the guide contains more information:
https://developers.soundcloud.com/docs/api/guide

So can things still work by moving the consumer_key to an authentication header or is this no longer supported in any way?
Is the SC API supposed to only be accessed by registered SC users from now on?

things will work if you replace consumer_key with Auth header. API supports 2 authentication methods: client_credentials (no associated user for public resource's access) and authorization_code (associated user session to access private resources like /me, or post a track)

[Keeper-of-the-Keys]

Thanks for the reply.

From the blogpost the distinction between client_credentials and authorization_code were not clear to me.
So basically if we want to continue to support SC we need to request new client credentials?

Also how does this refreshing token impact users? If I ship my client with client credentials and someone gets a refreshed token will the next person to open the application with the same client credentials not have access?

[dasha-kobzeva]

@Keeper-of-the-Keys,
I would suggest getting a bit more familiar with authentication as a concept, I'm sure they have a better explanation than what I can provide here.

https://auth0.com/docs/authorization/flows/which-oauth-2-0-flow-should-i-use