No, my collage generator for Spotify cannot “hack” your Spotify

Alex White
3 min readJul 1, 2020


When you sign into an app that is not Spotify with your Spotify account, that app will ask for your permission to use certain parts of your Spotify data. What this looks like is a screen like the following:

If you click Agree, you as a user are granting that app access to only the data described on the page. For example, this collage generator can view your name, username, profile picture, how many followers you have, your public playlists, what you’ve saved in your library (top artists, etc), and NOTHING ELSE. It cannot modify any of your Spotify data, meaning that it can’t add music to your library, remove music from your library, or anything of that nature.

How do I know I can trust what the authorization page is saying?

This is an important thing to consider. How do you know that I, the developer, didn’t just create this page to look like a real Spotify page? How do you know that when you click Agree, you are only agreeing to what the page says you’re agreeing to? Well, two reasons.

  1. The URL (the website’s address in the bar at the top of the page) is [something] (in this case, it's Whenever you see that, you can be 99% confident that what you're seeing is genuine. The other 1% of confidence comes from the second reason:
  2. Your connection is secure. You know this because of the lock icon in the address bar.

Because of these two reasons, you can be 100% confident that the page you’re seeing is from Spotify itself, and has no affiliation with me or my website. This means that there is no possible way for me to see your password, because you entered it on a page that isn’t mine, it’s Spotify’s. The best part about this is that you don’t have to trust me at all! This system (and others like it where you sign in to something with some other account) was designed to not rely on you having to trust the site you’re signing into. You only have to trust the provider (Spotify in this case) when they tell you (on their own page, over a secure connection), “hey, this data here on this authorization page is the only data that this app can access.”

But it seems like my Spotify has been hacked

Maybe it has been, but that’s not because of this app. There are two possibilities:

  1. Someone knows your password
  2. You gave an app permission to do something and you didn’t realize you gave it that permission.

Remember this screen?

There are a whole bunch of things developers can ask you for permission for, other than the ones that my app does. You can find a list of them here. For example, an app can ask your permission to modify your playlists, modify your library, or follow other people. Since my app doesn’t ask for any of those permissions, it can’t modify any of your Spotify data. However, another app might try to sneak these permissions in without you noticing. So make sure you read what you’re agreeing to.



Alex White