401 api.soundcloud.com/{track_urn}/streams/<uuid>/hls

[elft]

Using client authentication flow

fetch(
    'https://api.soundcloud.com/tracks/<track_urn>/streams,
    {
         headers: {
              'Authorization': 'Bearer <access_token>',
               'Accept: '*/*',
        }
    }
)

const response =
{
hls_aac_160_url: "https://api.soundcloud.com/tracks/{track_urn}/streams/<uuid>/hls"
hls_mp3_128_url: "https://api.soundcloud.com/tracks/{track_urn}/streams/<uuid>/hls"
...
}

const element = new Audio();
element.crossOrigin = 'anonymous';;
element.controls = false;
element.src = response.hls_mp3_128_url
element.load();

I used to take the hls_mp3_128_url directly from the response above and set the source of an Audio HTML element directly but now getting a 401 unauthorized. I believe up to today the https://api.soundcloud.com/tracks/<track_urn>/streams used to return the actual streamable url (cf-hls-media.sndcdn.com?params) with more query string params for the authentication, but now the tracks/<track_urn>/streams url does not.

I can add my access token as an authorization header, make a fetch to grab the actual audio data stream url before adding to the Audio Element as a src URL but then running into cors issues on safari.

--get actual audio data stream url
const response = fetch(
'https://api.soundcloud.com/tracks/{track_urn}/streams/<uuid>/hls',
    {
         headers: {
              'Authorization': 'Bearer <access_token>',
              'Accept: '*/*',
        }
    }
)

--take above response and plug that directly into, fails on safari
const element = new Audio();
element.crossOrigin = 'anonymous';;
element.controls = false;
element.src = response.url
element.load();

[dpreussler]

@elft thanks for pointing this out and sorry about this breaking

The behavior is indeed bit different now, you have to keep the call authenticated.

Alternative (for now) would be the follow that hls_aac_160_url authenticated from your code (with HEAD for no performance issue in case things change again) , you will get a 302 redirect to the url you can then give to player without authentication

[elft]

No worries and thank you was able to get it to work on both chrome/safari with your suggestion!

[dpreussler]

I'll keep this open for a few days for other's who might run into the same

[ymeskini]

Please, next time, communicate ahead of this kind of breaking change

[superturboryan]

I'm also receiving reports of this breaking all streaming.

This seems like a change that should have been announced. The API explorer isn't updated, and there's no release published on this repo?

[dpreussler]

Hi there,
We never publish releases on this repo.
I'll make it more clear in the explorer that all calls need to be authenticated!

Sorry again for the interruptions.

[aheadfullofcode]

What's going on, this has completely borked my clients website. Can we have a detailed explanation of what's changed?

[dpreussler]

@aheadfullofcode all infos are here on the thread.
The calls to the streaming endpoint you get from /streams still need to stay authenticated (with a valid token)

[kndpt]

Thanks for the clarification, but this kind of breaking change without prior notice has a real impact on production apps.

Many of us were relying on the fact that /streams returned already-signed CDN URLs usable directly in a player. Changing this behavior overnight without deprecation notice, changelog, or API Explorer update instantly broke streaming for end users.

I understand the need to keep endpoints authenticated, but a short announcement, migration note, or timeline would have avoided production incidents.

Have a good day team!

[superturboryan]

@dpreussler in the past, some updates to the API have been posted here: https://github.com/soundcloud/api/releases - most recently in June this year.

Can you please confirm if this is no longer being used? 🤝

[dpreussler]

@superturboryan we'll keep using that. missed it indeed for this change. It was more of an security fix with unexpected side effect as of the undocumented status of the nature of the urls returned.

Thanks everyone for your input! We'll try to communicate better next time 🙏

[antoinerousseau]

Hey guys, at Shotgun, playing a preview in the app was a core feature of it, and it's now broken, without a warning from your team: I couldn't read anything about it in your dev blog.

Besides, our private API was making the authenticated calls to your API to get the stream URL that was then passed on to the app, but it seems it would be a security hole to give the app the auth token, since the user shouldn't access it, should they?

Also, could you revert this change and give a warning and a grace period before reimplementing it? Our users are killing us...

[aand01]

Also, could you revert this change and give a warning and a grace period before reimplementing it? Our users are killing us...
☝️
Yes please!

[dpreussler]

Hey guys, at Shotgun, playing a preview in the app was a core feature of it, and it's now broken, without a warning from your team: I couldn't read anything about it in your dev blog.

Besides, our private API was making the authenticated calls to your API to get the stream URL that was then passed on to the app, but it seems it would be a security hole to give the app the auth token, since the user shouldn't access it, should they?

You can still get the CDN urls by doing a HEAD to get the redirect as described here:
#478 (comment)