The only way to revoke Spotify API tokens is to delete your account
Yesterday I switched to Spotify as a part of a family subscription, after using Google Play Music for about a year. I had a free Spotify account from back in 2008-2009, and I figured I’d just use that one, instead of creating a new one. Looking for a way to convert my playlist, I ran into somewhat of a privacy issue.
The service I used, did create a playlist, but my songs never appeared in the list. It stayed empty. Strange. Maybe the service doesn’t work anymore? Well, I’ll just revoke the app access and try another one.
Looking through my account settings, I found no way to revoke third party tokens, like you find on Twitter, Facebook and Google accounts. It turns out Spotify has been operating its web API for two years without a way for users to revoke tokens!
In my view, this is a serious privacy issue. Web services change hands, and get hacked from time to time, and who knows who will get hold of your tokens in the future?
Upon contacting Spotify support, and exchanging a couple of emails with them, I was told that there was no way for me, nor them, to revoke third party app access to my account. In fact, they suggested I delete my account, and create a new one. Which would result in me losing the playlists I spent hours yesterday manually transferring from Google Play Music. Customer support at its very best, ey?
If you are a Spotify user, then be careful which apps you grant access to your account. And please put pressure on Spotify to implement a way of revoking tokens by sharing this post, contacting Spotify support about the issue, or let their developers know in the Github issue linked above.