Spotify Redirect Issues

I’ve had Spotify configured and working for a long time. Recently, I encountered some issues, so I removed the configuration and tried to re-add it, but I have faced constant problems.

I got my Client ID and Client Secret etc and used https://my.home-assistant.io/redirect/oauth but after entering, I get the following:

I

CleanShot 2025-06-13 at 12.34.31701×297 10.5 KB

clicking link account gives me:

CleanShot 2025-06-13 at 12.43.49436×264 4.8 KB

I assumed My Home Assistant might be disabled - So I used my DuckDNS address (https://myaddress.duckdns.org:8443/auth/external/callback) and get the error INVALID_CLIENT: Invalid redirect URI

Where am I going wrong, please?

I haven’t changed any network settings or made any adjustments within HomeAssistant. To add (if relevant) I also use HA cloud.

@Jakesa
I recommend the following instructions to users of my SpotifyPlus Integration when they experience issues like this. Hope it helps!

OAuth Redirect Errors - INVALID_CLIENT: Invalid client

This error can occur sometimes when initially installing (or reinstalling) the SpotifyPlus Integration (it can also occur for the HA Spotify Integration). I believe it’s either due to a malformed Redirect URI value in the Spotify Developer Application details, or when something doesn’t get cleaned up correctly during the integration uninstall process.

To fix this, you need to do ALL of the following:

1. verify that the https://my.home-assistant.io/redirect/oauth uri is listed in the Spotify Developer Application settings “Redirect URIs” list. This is an internal url that Home Assistant uses to intercept the OAuth2 request redirect result. The entry must be listed exactly as it is spelled (case-sensitive), and without the ending slash.
2. Go to the Home Assistant Application Credentials settings (under Settings \ Devices, click on 3 vertical dots menu in upper right and select Application Credentials) and see if it created any OAuth application credentials related to SpotifyPlus (or Spotify if you’re installing HA Spotify). If so, delete them.
3. Open the Spotify Web Player in a new browser window and logout of Spotify. This will force you into a logon screen the next time you try to authorize the OAuth request.

Hi, thank you for your advice. Unfortunately, I’m still encountering the same issue after following the steps.

It directs me to Spotify to log in and instructs me to link Home Assistant after logging in, but then I receive:

CleanShot 2025-06-15 at 12.13.54423×249 4.79 KB

It could be an issue with the way you are linking your account. I took the following out of the SpotifyPlus Integration Install Instructions wiki doc.

Note the " IMPORTANT " parts of the doc below. Note that I use http://homeassistantvm:8123 in my environment. Are you using http://homeassistant.local:8123? or https://homeassistant.local:8123? or do you have a custom url? Note that you should NOT be using your public facing url to do this (has to be the local HA url as mentioned above).

Note that you may also need to repeat the deletion of the Application Credentials mentioned earlier in order to retry.

Step 4e - Home Assistant Link Account

Click on Link Account (see Figure 4e) to allow Home Assistant to link the OAuth2 Application Credential to Spotify.

IMPORTANT - Note the hi-lited URL prefix value in the Figure 4e example (top of the page in the URL); this should match the Redirect URI value (e.g. https://my.home-assistant.io/redirect/oauth) that you entered for the Spotify Developer Application in Step 2b - Create Application. If it does NOT match, then you will need to modify the Spotify Developer Application settings and add it as an allowed Redirect URI value. Note that you can specify more than one Redirect URI value in the Spotify Developer Application settings. You can adjust the Spotify Developer Application settings after this step is complete if need be.

IMPORTANT - Note the Your Instance URL value in the Figure 4e example (toward the bottom); this should match the url that you use to access Home Assistant. You may need to adjust the http:// to https:// if you access your instance of Home Assistant via Secure Sockets Layer (SSL). Click the pencil icon to the right of the Your Instance URL url value to adjust the entry if necessary.

Figure 4e - Home Assistant Link Account Form

1243×366 28.3 KB

I use https://serverURL:8123 I noticed on the 'link to home assistant page my instance URL was not matching. I edited this as you described and no longer get the same error as before.

However, I am now getting the error Error while obtaining access token :

CleanShot 2025-06-16 at 15.03.47397×204 3.81 KB

I deleted credentials and logged out of Spotify before attempting this.

@Jakesa
Progress is good.

Rerun the process, including removing App Credentials / Spotify Logout. You might try using the SpotifyPlus Integration Install Instructions, but just substitute the Spotify Integration (or just install SpotifyPlus if you like - it’s a direct replacement for the HA Spotify integration).

When you get to the “Link Account to Home Assistant?” screen, take a screen capture of that window, including the browser url (like my Figure 4e picture in the previous reply). I need to know what url prefix is being used for the request, as well as what the instance url is.

Also post a screen capture of your Spotify Developer App settings (don’t need the client id). I’m interested in what the “Redirect URIs” value looks like. It will look similar to this:

image1130×980 61.3 KB

Sorry this maybe a silly question but does SpotifyPlus work with Spotcast?

Here is the screen capture:

CleanShot 2025-06-16 at 16.09.051971×334 29.2 KB

I noticed my HA instance URL was not in the Spotify dev account redirect URLs like the image you provided so I tried it with that too but I still got the same error

Error while obtaining access token

CleanShot 2025-06-16 at 16.12.30483×180 4.45 KB

@Jakesa

Regarding the Spotify Developer App Redirect URIs settings:

• https://192.168.1.10:8123 is not needed, and should be removed from the Spotify Developer App Redirect URIs settings
• https://my.home-assistant.io/redirect/oauth matches the browser url for the “Link Account to Home Assistant?” page, which is correct.
• Note that the http://127.0.0.1:8090/ and http://127.0.0.1:8080/ (localhost) entries in my Spotify Developer App settings are used to test other processes outside of Home Assistant, so you will not need those 2 entries.

Regarding the https://192.168.1.10:8123/:

• is this the url that you use to access your HA instance? or do you use http://192.168.1.10:8123/ (e.g. not HTTPS)? If you are using https://192.168.1.10:8123/, then I would retry the process with the http://192.168.1.10:8123/ url. It might be running into an SSL certificate issue when trying to use the HTTPS url.

Regarding Spotcast

SpotifyPlus does not require Spotcast to work. It uses it’s own methods of re-activating Google Cast devices that require it.

You can keep Spotcast installed if it is used for other things if you like; it will not interfere with SpotifyPlus, or vice versa. You can also have the regular HA Spotify integration installed as well, if you want to compare it to SpotifyPlus.

Thank you for this help.

Yes I use https://192.168.1.10:8123/ to access my HA instance.

when I try the process with http://192.168.1.10:8123/:

CleanShot 2025-06-16 at 19.32.00795×319 10.3 KB

I get the following:

image460×344 4.6 KB

@Jakesa
It appears the latest http://192.168.1.10:8123/ was a step back, and exhibits the same behavior as the https://homeassistant.local:8123/.

Do you have the homeassistant: key specified in your configuration.yaml file? If so, what do you have specified for the internal_url: value? Your homeassistant: key should look something like this:

homeassistant:
  external_url: 'https://xxxxxxx.duckdns.org'
  internal_url: 'http://192.168.1.248:8123'
  allowlist_external_dirs:
  ...

If you DO have an internal_url: value, then use that value to access your Home Assistant image from your browser of choice. In the example above, I use http://192.168.1.248:8123 to access my HA on the internal network. I also use the Google Chrome browser myself, but any browser should work.

With that said, let’s try adding the HA Application Credentials manually (instead of through the Spotify integration install process).
Use the following:

***** IMPORTANT *****
You will want to clear any previous Application Credentials again, as well as log out of Spotify.

Also restart Home Assistant and clear your browser cache (including files, cookies, and images) prior to executing the following steps.

Step 3 - Home Assistant Application Credential(s)

We are now ready to add Home Assistant Application Credentials for each of the Spotify Developer Applications that were created in Step 2.

Go to the Application Credentials page to list any existing OAuth2 application credentials, as well as define new ones. This is located under Settings \ Devices & Services \ Application Credentials (have to click the 3 dots menu in the upper right corner).

Step 3a - Add Application Credential(s)

Click the Add Application Credentials button to add a new credential.

Fill in the Credential Form fields (see Figure 3a):

• Integration: Spotify (select from dropdown list).
  Note - if you don’t see the Spotify entry in the list, then it denotes that a problem occurred with the integration installation (e.g. failed, HA was not restarted, browser cache was not cleared, etc).
• Name: Enter a name for the credential. I would suggest using “Spotify FIRST LAST” for this value, with FIRST being the Spotify user first name and LAST being the Spotify user last name (e.g. “Spotify John Smith”).
• OAuth client ID: The Spotify Developer App Client ID value for the Spotify User.
• OAuth client secret: The Spotify Developer App Client Secret value for the Spotify User.
• click Add to add the credential.

Figure 3a - Home Assistant Application Credentials Form

508×657 25.6 KB

For multiple Spotify User support, repeat the above step for each of the Spotify Developer Applications that you created. Once you are done, your Application Credentials list should contain all of your Spotify credential entries (see Figure 3b).

Figure 3b - Home Assistant Application Credentials List

665×325 14.4 KB

If the above worked, then you are now ready to add the Spotify integration. When you add the integration, it should allow yo uto select a pre-existing Application Credential to use with the Spotify instance being installed (assuming the above steps worked to add the credential).

@Jakesa
Did the above reply get this working for you? Please let me know either way.
Thanks

Hi,

I apologise for the late reply. I have been busy with my dissertation and starting a new job. Now, I am returning to this issue, which I have been trying to resolve for months.

I have decided to abandon Spotcast and switch to Spotify Plus, but I seem to be encountering similar issues:

image1242×432 13.5 KB

Your instructions state to select the Spotify integration in the add credentials section, but you have SpotifyPlus selected. Could you please confirm which one I should select?

CleanShot 2026-01-08 at 21.37.30@2x1024×1262 36 KB

@Jakesa
You should be selecting the SpotifyPlus entry in the Integration drop down list.

Since it has been a few months since you last tried this, I would say ignore the suggestions in the previous thread replies and follow the wiki documentation starting with the Pre-Installation Requirements step. There have been quite a few tweaks and updates in the past few months to the installation process. That will ensure you have your Spotify Developer App settings correct, as well as how to install the integration service.

It seems I have chosen the worst time to address this issue. Spotify has recently suspended the ability to create new developer apps, with no timeline for when this feature will return. Hopefully it’s only temporary.

@Jakesa
If you already have a Spotify Developer App created, then go ahead and use it. Just verify that all of the redirect uri values are correct. It should still work, and you can still edit existing developer apps I believe.

I have no idea when Spotify will be opening the Developer Portal back up for new App entries. There is an open issue on the Spotify Community Forum for this, but no response yet.

CleanShot 2026-01-11 at 14.16.38589×206 6.09 KB

I keep hitting a brick wall whenever I try to add the integration. I can’t figure out where I’m going wrong. Each time SpotifyPlus attempts to connect to the Spotify API, I receive an SSL certificate verification failure.

I’ve followed all the steps and tried several times, deleting credentials and starting from scratch each time, but I continue to encounter the same error.

SpotifyClient authorization token could not be set from OAuth2 session token; please check the System Log for further information.

Logs:

This error originated from a custom integration.

Logger: custom_components.spotifyplus.config_flow
Source: custom_components/spotifyplus/config_flow.py:168
integration: SpotifyPlus (documentation, issues)
First occurred: 14:16:34 (1 occurrence)
Last logged: 14:16:34

SpotifyApiError: SAM0001E - An unhandled exception occured while processing method "MakeRequest". HTTPSConnectionPool(host='api.spotify.com', port=443): Max retries exceeded with url: /v1/me (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])")))
Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/urllib3/contrib/pyopenssl.py", line 520, in wrap_socket
    cnx.do_handshake()
    ~~~~~~~~~~~~~~~~^^
  File "/usr/local/lib/python3.13/site-packages/OpenSSL/SSL.py", line 2432, in do_handshake
    self._raise_ssl_error(self._ssl, result)
    ~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/OpenSSL/SSL.py", line 2048, in _raise_ssl_error
    _openssl_assert(
    ~~~~~~~~~~~~~~~^
        reason == _lib.SSL_R_UNEXPECTED_EOF_WHILE_READING
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/usr/local/lib/python3.13/site-packages/OpenSSL/_util.py", line 76, in openssl_assert
    exception_from_error_queue(error)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/OpenSSL/_util.py", line 62, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', '', 'certificate verify failed')]

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/urllib3/connectionpool.py", line 464, in _make_request
    self._validate_conn(conn)
    ~~~~~~~~~~~~~~~~~~~^^^^^^
  File "/usr/local/lib/python3.13/site-packages/urllib3/connectionpool.py", line 1093, in _validate_conn
    conn.connect()
    ~~~~~~~~~~~~^^
  File "/usr/local/lib/python3.13/site-packages/urllib3/connection.py", line 796, in connect
    sock_and_verified = _ssl_wrap_socket_and_match_hostname(
        sock=sock,
    ...<14 lines>...
        assert_fingerprint=self.assert_fingerprint,
    )
  File "/usr/local/lib/python3.13/site-packages/urllib3/connection.py", line 975, in _ssl_wrap_socket_and_match_hostname
    ssl_sock = ssl_wrap_socket(
        sock=sock,
    ...<8 lines>...
        tls_in_tls=tls_in_tls,
    )
  File "/usr/local/lib/python3.13/site-packages/urllib3/util/ssl_.py", line 483, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
  File "/usr/local/lib/python3.13/site-packages/urllib3/util/ssl_.py", line 527, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
           ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/urllib3/contrib/pyopenssl.py", line 526, in wrap_socket
    raise ssl.SSLError(f"bad handshake: {e!r}") from e
ssl.SSLError: ("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    response = self._make_request(
        conn,
    ...<10 lines>...
        **response_kw,
    )
  File "/usr/local/lib/python3.13/site-packages/urllib3/connectionpool.py", line 488, in _make_request
    raise new_e
urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])",)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/lib/python3.13/site-packages/spotifywebapipython/spotifyclient.py", line 1400, in MakeRequest
    response = self._Manager.request(method, url, headers=msg.RequestHeaders)
  File "/usr/local/lib/python3.13/site-packages/urllib3/_request_methods.py", line 135, in request
    return self.request_encode_url(
           ~~~~~~~~~~~~~~~~~~~~~~~^
        method,
        ^^^^^^^
    ...<3 lines>...
        **urlopen_kw,
        ^^^^^^^^^^^^^
    )
    ^
  File "/usr/local/lib/python3.13/site-packages/urllib3/_request_methods.py", line 182, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/urllib3/poolmanager.py", line 457, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "/usr/local/lib/python3.13/site-packages/urllib3/connectionpool.py", line 871, in urlopen
    return self.urlopen(
           ~~~~~~~~~~~~^
        method,
        ^^^^^^^
    ...<13 lines>...
        **response_kw,
        ^^^^^^^^^^^^^^
    )
    ^
  File "/usr/local/lib/python3.13/site-packages/urllib3/connectionpool.py", line 871, in urlopen
    return self.urlopen(
           ~~~~~~~~~~~~^
        method,
        ^^^^^^^
    ...<13 lines>...
        **response_kw,
        ^^^^^^^^^^^^^^
    )
    ^
  File "/usr/local/lib/python3.13/site-packages/urllib3/connectionpool.py", line 871, in urlopen
    return self.urlopen(
           ~~~~~~~~~~~~^
        method,
        ^^^^^^^
    ...<13 lines>...
        **response_kw,
        ^^^^^^^^^^^^^^
    )
    ^
  File "/usr/local/lib/python3.13/site-packages/urllib3/connectionpool.py", line 841, in urlopen
    retries = retries.increment(
        method, url, error=new_e, _pool=self, _stacktrace=sys.exc_info()[2]
    )
  File "/usr/local/lib/python3.13/site-packages/urllib3/util/retry.py", line 519, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='api.spotify.com', port=443): Max retries exceeded with url: /v1/me (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])")))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/config/custom_components/spotifyplus/config_flow.py", line 168, in async_oauth_create_entry
    await self.hass.async_add_executor_job(
        spotifyClient.SetAuthTokenFromToken, clientId, data["token"], tokenProfileId
    )
  File "/usr/local/lib/python3.13/concurrent/futures/thread.py", line 59, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.13/site-packages/spotifywebapipython/spotifyclient.py", line 17931, in SetAuthTokenFromToken
    self.MakeRequest('GET', msg)
    ~~~~~~~~~~~~~~~~^^^^^^^^^^^^
  File "/usr/local/lib/python3.13/site-packages/spotifywebapipython/spotifyclient.py", line 1458, in MakeRequest
    raise SpotifyApiError(SAAppMessages.UNHANDLED_EXCEPTION.format(apiMethodName, str(ex)), ex, logsi=_logsi)
spotifywebapipython.spotifyapierror.SpotifyApiError: SpotifyApiError: SAM0001E - An unhandled exception occured while processing method "MakeRequest".
HTTPSConnectionPool(host='api.spotify.com', port=443): Max retries exceeded with url: /v1/me (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])")))

@Jakesa

HTTPSConnectionPool(host='api.spotify.com', port=443): 
Max retries exceeded with url: /v1/me 
SSLError("bad handshake: Error([('SSL routines', '', 'certificate verify failed')])"

That error indicates there is something wrong with your SSL certificate chain on your client. It could be any of the following:

• Python cannot validate Spotify’s HTTPS certificate.
• TLS handshake fails before OAuth or /v1/me is even called.
• Spotify’s certificate is valid, so the failure is on your system.

Questions:

1. What is your HA installation method and version? These can be found in Settings \ About under the Installation method and core values.

2. What url are you using to access your Home Assistant instance? e.g. http://homeassistant.local:8123/? or is it a cloud provider / custom url like https://cloudfare.myhaprod/?

3. are you using the NGINX HA SSL Proxy add-on?

Per chatGPT, here are the leading causes of the error - the #2 could be the culprit if you are running NGINX add-on; #1 could be the culprit if you are running a HA in a docker container or a python venv instance.

Broken / missing CA certificates on the system

Very common on:

• Windows + Python 3.11+
• Custom Python installs
• Embedded systems
• Home Assistant containers
• venvs created before cert updates

Spotify uses Let’s Encrypt + DigiCert chains, so if your trust store is stale → handshake fails.

Corporate proxy / MITM SSL inspection

If you are behind:

• Corporate firewall
• Antivirus HTTPS inspection
• SSL proxy (NGINX, Zscaler, Blue Coat, etc.)

The proxy:

• Replaces Spotify’s cert
• Python doesn’t trust it
• → cert verify failed

1. Home Assistant OS / 2025.12.5
2. http://192.168.1.10:8123
3. Proxy: No, I am NOT using the official ‘NGINX HA SSL Proxy’ add-on. I do have Nginx Proxy Manager installed, but I use it exclusively for a separate add-on (Mealie).

My Home Assistant instance itself is NOT behind this proxy. I access Home Assistant locally via HTTP (http://192.168.1.10:8123).

Regarding the SSL/MITM suspicion:

I suspect you are right that something is interfering with the connection, but I have tried to rule out the usual suspects:

Router (BT Smart Hub - UK): I thought this might be due to the “Web Protect” / “Smart Setup” features built into my router, but I have disabled these features and am still getting the same issues.

AdGuard: I have also tried disabling AdGuard Home completely to rule out DNS blocking.

@Jakesa
You might try disabling Nginx Proxy Manager if you can as well. I am not familiar with Nginx Proxy Manager, but per chatGPT it could affect OAuth processing for various services (see below).

You also want to ensure you have your internal and external url’s set in your configuration.yaml settings. For example, something like this (change to your specifics):

homeassistant:
  name: 'HA PROD Instance'
  language: en
  external_url: 'https://your.domain.com'
  internal_url: 'http://192.168.1.10:8123'

When NPM DOES affect other add-ons (common issues)

OAuth / Application Credentials break (VERY common)

Examples:

• Spotify
• Google
• Microsoft
• Jellyfin OAuth
• Cloud integrations

Cause

• Wrong external_url
• Missing X-Forwarded-* headers
• HTTP ↔ HTTPS mismatch

I have an internal URL set in YAML, but I don’t have an external URL. I use nabucasa for external access. I tried disabling NPM, but the same error appeared.