1

In starting to work with MusicKit JS in a react app, I came across this method for loading the library (no NPM package available) in the documentation here:

<head>
 ...
 <meta name="apple-music-developer-token" content="DEVELOPER-TOKEN">
 <meta name="apple-music-app-name" content="My Cool Web App">
 <meta name="apple-music-app-build" content="1978.4.1">
 ...
</head>

This is super easy, but it doesn't seem safe to be putting the developer token in a place where anyone can read it.

QUESTION: Is this safe, and/or is there a better way to do this?

For the record, I did try the approach of setting up an "musickitloaded" event listener, but I couldn't get it to fire consistently.

Also, using an environment variable like the below does not hide the token:

<meta
  name="apple-music-developer-token"
  content="%REACT_APP_APPLE_MUSIC_DEVELOPER_TOKEN%"
/>
Kim
  • 856
  • 1
  • 11
  • 21
  • 1
    This [article](https://www.jagandeepbrar.io/blog/apple-music-tokens/) discusses the same issue and has the same concerns as you. Conclusion seems to be: You cannot keep the developer token a secret, and it could be exploited. From article, excerpt: *Apple really needs to implement domain or application restrictions to their MusicKit JS API, as their current method of authentication has some glaring malicious implications.* – Albertsen Jan 14 '20 at 07:22

0 Answers0