The only way to revoke Spotify API tokens is to delete your account

This could actually be the source of a bug I (and others) have been experiencing for a while. I&#x27;m listening to Spotify when all of a sudden, music pauses and I get a &quot;your account is being used somewhere else&quot;. The first few times I actually though it was true, but since then I&#x27;ve tried to &quot;log out from every device&quot; and log in again on one device, only to find the bug happening again 2 minutes later.<p>Seeing that, my hypothesis is that I gave Spotify access to a 3rd party app way back (maybe a Sonos sound system at a rental house, maybe the Uber app) that has been using my token to play music without my explicit consent… and there is no way for me to revoke those tokens.

Official Spotify Web API feature request ticket: <a href="https:&#x2F;&#x2F;github.com&#x2F;spotify&#x2F;web-api&#x2F;issues&#x2F;126" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;spotify&#x2F;web-api&#x2F;issues&#x2F;126</a>

Spotify, in general, appears to consider accounts disposable. I think I saw something about this getting better recently, but a few months ago the only way to move my paid account to a family subscription was to delete the old account and create new accounts for everyone I wanted in the family plan.

I work at Stormpath (an Auth as a Service company) and see stuff like this all the time. It&#x27;s actually really hard to do token revocation properly; People implement tokens and see revocation as a feature to be implemented &quot;in the future&quot;.<p>I also noticed, for instance, that a LinkedIn app developer cannot rotate API Keys used to access LinkedIn&#x27;s service. Again, the solution is to delete the app &amp; restart. :&#x2F;

Somewhat off-topic but the only way to revoke Spotify Connect access to a device is to change your password, then log out, and back in.<p>I found that until I did the above I could not remove my friend&#x27;s Denon receiver from the list of devices.

Actually contacted support on this asking them to revoke all tokens - they responded I&#x27;d have to create a new account to remove the facebook integration ...cause that&#x27;s what I asked for, after another 2 emails back and forth I just gave up

I really hope we move past a model where a company both needs good lawyers, to get the licensing deal with the record companies, and a good software team, to get the app right. I really hope an intermediate layer arises, such that talented app developers can write good streaming music apps without needing to talk to the RIAA first, but rather by just purchasing access to the content through some &quot;music wholesale&quot; service.

Delete your account!

Ok so the lesson here is be really careful where you allow API access using your keys.