401 error when accessing MusicKit API via node.js

Question

I'm trying to access the MusicKit API but it keeps returning a 401 unauthorized error. I can't figure this out. I have this code to generate a Developer Token:

const privateKey = fs.readFileSync("resources/AuthKey.p8").toString();  
  const teamId = "MYTEAMID";  
  const keyId = "MYKEYID";  

  const options = {  
    algorithm: "ES256",  
    expiresIn: "180d",  
    issuer: "MYTEAMID", // your 10-character Team ID, obtained from your developer account  
    header: {  
      alg: "ES256",  
      kid: "MYKEYID", // your MusicKit Key ID  
    },  
  };  

  return new Promise((resolve: any, reject: any) => {  
    jwt.sign({}, privateKey, options, (error, token) => {  
      if (error) {  
        return reject(error);  
      } else { // token created  
        return resolve(token);  
      }  
    });  
  });

This generates a successful token. When decoded, this token has header the values like:

{  
 "alg": "ES256",  
 "typ": "JWT",  
 "kid": "MYKEYID"  
}

and the payload values like:

{  
 "iat": 1558197586,  
 "exp": 1573749586,  
 "iss": "MYTEAMID"  
}

I know Apple doesn't specify typ in the header, so could this be an issue?

I then try to use that in a curl request for a sample artist like curl -v -H 'Authorization: Bearer <MYTOKEN>' "https://api.music.apple.com/v1/catalog/us/artists/36954" but it comes back with a 401 error:

Trying 23.13.216.88...  
* TCP_NODELAY set  
* Connected to api.music.apple.com (23.13.216.88) port 443 (#0)  
* ALPN, offering h2  
* ALPN, offering http/1.1  
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH  
* successfully set certificate verify locations:  
*   CAfile: /etc/ssl/cert.pem  
 CApath: none  
* TLSv1.2 (OUT), TLS handshake, Client hello (1):  
* TLSv1.2 (IN), TLS handshake, Server hello (2):  
* TLSv1.2 (IN), TLS handshake, Certificate (11):  
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):  
* TLSv1.2 (IN), TLS handshake, Server finished (14):  
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):  
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):  
* TLSv1.2 (OUT), TLS handshake, Finished (20):  
* TLSv1.2 (IN), TLS change cipher, Client hello (1):  
* TLSv1.2 (IN), TLS handshake, Finished (20):  
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384  
* ALPN, server accepted to use h2  
* Server certificate:  
*  subject: businessCategory=Private Organization; jurisdictionCountryName=US; jurisdictionStateOrProvinceName=California; serialNumber=C0806592; C=US; ST=California; L=Cupertino; O=Apple Inc.; OU=Internet Services for Akamai; CN=itunes.apple.com  
*  start date: May  1 00:00:00 2019 GMT  
*  expire date: May  1 12:00:00 2020 GMT  
*  subjectAltName: host "api.music.apple.com" matched cert's "api.music.apple.com"  
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA  
*  SSL certificate verify ok.  
* Using HTTP2, server supports multi-use  
* Connection state changed (HTTP/2 confirmed)  
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0  
* Using Stream ID: 1 (easy handle 0x7ff42a004600)  
> GET /v1/catalog/us/artists/36954 HTTP/2  
> Host: api.music.apple.com  
> User-Agent: curl/7.54.0  
> Accept: */*  
> Authorization: Bearer eyJh...
>  
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!  
< HTTP/2 401  
< content-type: application/json; charset=utf-8  
< access-control-allow-origin: *  
< strict-transport-security: max-age=31536000; includeSubDomains  
< date: Sat, 18 May 2019 16:33:58 GMT  
< x-cache: TCP_MISS from a104-117-183-52.deploy.akamaitechnologies.com (AkamaiGHost/9.6.4.1-25700704)   
<  
* Connection #0 to host api.music.apple.com left intact

Why???

roman · Accepted Answer · 2019-05-19T17:19:29.320

1

Not sure which jwt library you're using and if you're using correctly.

This works for me:

const jwt = require('jsonwebtoken');
const fs = require('fs')

const APNS_KEY_ID = 'XXXXXXXXXXX'
const TEAM_ID = 'XXXXXXXXXXX'

const TWENTY_FOUR_HOURS = 1000 * 60 * 60 * 24;
const privateKey = fs.readFileSync("keys/AuthKey.p8").toString();

const generateToken = () => {
  var now = new Date();
  var tomorrow = new Date(now.getTime() + TWENTY_FOUR_HOURS);
  token = jwt.sign({
    'iss': TEAM_ID,
    'iat': Math.floor(now / 1000),
    'exp': Math.floor(tomorrow / 1000)
  }, privateKey, { algorithm: 'ES256', 'keyid': APNS_KEY_ID})
  console.log('Apple token generated', token)
  return token
}
generateToken()

To test:

curl -X GET \
  'https://api.music.apple.com/v1/catalog/us/search?term=drake&types=songs&limit=1' \
  -H 'Authorization: Bearer eyJh...'

edited May 19 '19 at 17:19

answered May 19 '19 at 16:18

roman

537
2
5

Thanks for the answer, but it just isn't working for me :( I just don't know what's wrong. I'm using the same `jsonwebtoken` library as you and everything. – Tometoyou May 19 '19 at 17:05
I can call the "simulate too many errors" endpoint fine using my token generation and it gives me the correct 429 error code, but not the actual endpoint – Tometoyou May 19 '19 at 17:15
Maybe try a shorter `exp`. 180 is the max, I think. – roman May 19 '19 at 17:29
I've tried that, I tried your code, it just won't work. Could you give me an example of a token you've generated for me to try it? – Tometoyou May 19 '19 at 17:30
I tried the same cURL command with my token and then yours (from your snippet). Works with mine and not with yours. The only differences are the `kid`, `iss`, `iat`, `exp`, which are expected. Maybe regenerate your private key (https://developer.apple.com/account/ios/authkey/) for the MusicKit service. Should be a 3 line file. – roman May 19 '19 at 17:39
Our code seems to generate the same token, I've tried both your code and mine and it generates the same header and payload. I tried regenerating the key.. still doesn't work. Btw your code wouldn't work because `'iat': Math.floor(now / 1000)` needs to be `'iat': Math.floor(now.getTime() / 1000)`. – Tometoyou May 19 '19 at 18:11
One other thing to double check, which I was getting wrong - your MusicKit Key ID should be a 10 digit alphanumeric code, rather than a reverse domain ID (e.g., `music.com....`) - you can get it from your Apple Developer Account by selecting your MusicKit Key in the Keys section. – Simon Rice May 27 '19 at 12:18
For anyone looking, the problem was I hadn't accepted some updated license agreement... – Tometoyou Nov 14 '19 at 11:29

401 error when accessing MusicKit API via node.js

1 Answers1

Linked