What Do We Use For the Android MusicKit Developer Token?
I am attempting to use Apple's MusicKit SDK for Android. Adding their authorization SDK went fine, and I can launch the Apple Music app to request authorization. However, I keep getting TOKEN_FETCH_ERROR in the response, suggesting that Apple does not like my developer token.
In my call to createIntentBuilder() on Apple's AuthenticationManager, where I am supposed to pass my developer token, what exactly is that token?
The .p8 file that I got from developer.apple.com is an encoded certificate, with four encoded lines between the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----. I am under the impression that we are to use this .p8 file as the developer token, but I have tried each of the following:
- The verbatim contents of the
.p8file, including all newlines - The contents consolidated onto one encoded line between the
BEGINandENDlines - Just the encoded contents, all on one line
None seem to work — they all give me TOKEN_FETCH_ERROR responses. The key itself is enabled for "Media Services (MusicKit, ShazamKit, Apple Music Feed)", which feels like the right option.
interface AppleMusicAuth {
sealed interface AuthResult {
data class Success(val musicUserToken: String) : AuthResult
data object Failure : AuthResult
}
fun buildSignInIntent(): Intent
fun decodeIntentResult(intent: Intent?): AuthResult
}
class AppleMusicAuthImpl(private val context: Context) : AppleMusicAuth {
private val authManager = AuthenticationFactory.createAuthenticationManager(context)
override fun buildSignInIntent() =
authManager.createIntentBuilder(context.getString(R.string.developer_token))
.setHideStartScreen(true)
.setStartScreenMessage("hi!")
.build()
override fun decodeIntentResult(intent: Intent?): AppleMusicAuth.AuthResult {
val rawResult = authManager.handleTokenResult(intent)
return if (rawResult.isError) {
Log.e("test", "Error from Apple Music: ${rawResult.error}")
AppleMusicAuth.AuthResult.Failure
} else {
Log.d("test", "musicUserToken ${rawResult.musicUserToken}")
AppleMusicAuth.AuthResult.Success(rawResult.musicUserToken)
}
}
}
In the above code, I am going through the rawResult.isError branch, and the log message shows that the error is TOKEN_FETCH_ERROR.
This answer tries to provide an end-to-end explanation of how to get a MusicKit developer token on Android. These instructions were accurate as of 2 August 2024. Things tied to Apple's Web site might have changed by the time that you read this. The code snippets were based on JJWT version 0.12.6.
Step #1: Set up an Apple developer account at https://developer.apple.com/
Step #2: Visit https://developer.apple.com/account, scroll down to the "Membership details" section, and note what value you have for "Team ID". This value appears to be semi-secret, so you may want to treat it akin to how you treat other secret values in your code base.
Step #3: On that same page, go to the "Certificates, IDs & Profiles" section and click on "Identifiers":
Step #4: Click the "+" sign next to "Identifiers":
Step #5: In the long list of identifier types, choose "Media IDs" and click the "Continue" button:
Step #6: In the "Register a Media ID" page, choose "MusicKit", fill in a suitable description, fill in a suitable identifier (following their instructions), and click "Continue". You can then click "Register" after confirming what you filled in to actually create the ID:
Step #7: After Step #6, you should have wound up back at the Identifiers page from Step #3, except that your identifier should appear there. If you wound up somewhere else, follow those first few steps to get back into the "Certificates, Identifiers & Profiles" page.
Step #8: Click on "Keys" to visit the Keys page, then click the "+" button:
Step #9: On the "Register a New Key" page, check the "Media Services" option, then click the "Configure" button:
Step #10: On the "Configure Key" page, choose your identifier from Step #6 in the drop-down, then click Save:
Step #11: You should have wound up back on the "Register a New Key", with the "Configure" button now changed to an "Edit" button. Fill in a key name, then click "Continue". Then click "Register" after confirming what you filled in.
Step #12: You should wind up on a "Download Your Key" page. Click "Download" to download a .p8 file, and save it somewhere private and safe. Click "Done" when you are done.
Step #13: This should lead you back to the Keys page from Step #8, with your new key in the list. Click on it to view the key details. Note what value you have for "Key ID". This value appears to be semi-secret, so you may want to treat it akin to how you treat other secret values in your code base.
Step #14: Make a copy of the .p8 file, then edit that copy in a plain text editor (e.g., Sublime Text). Remove the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines and remove all newlines, so the seemingly-random text (actually some base64-encoded data) all appears on one line. Store this encoded private key akin to how you treat other secret values in your code. At this point, you have a total of three secrets: the team ID, the key ID, and the encoded private key (derived from the .p8 file).
Step #15: Add the JJWT library to your app.
Step #16: Create a function akin to the following:
private fun buildDeveloperToken(p8: String, keyId: String, teamId: String): String {
val priPKCS8 = PKCS8EncodedKeySpec(Decoders.BASE64.decode(p8))
val appleKey = KeyFactory.getInstance("EC").generatePrivate(priPKCS8)
val now = Instant.now()
val expiration = now.plus(120, ChronoUnit.DAYS)
val jwt = Jwts.builder().apply {
header()
.add("alg", "ES256")
.add("kid", keyId)
claim("iss", teamId)
issuedAt(Date.from(now))
expiration(Date.from(expiration))
}.signWith(appleKey).compact()
return jwt
}
Here, p8 is the encoded private key derived from the .p8 file, keyId is the key ID, and teamId is the team ID. This code decodes p8 into a PrivateKey, builds a JWT token using the keyId and teamId, and signs it with the PrivateKey, following Apple's documentation. Note that this code sets the lifetime of the signature to be 120 days — the maximum is six months.
You can then use that buildDeveloperToken() function in things like createIntentBuilder():
fun buildSignInIntent() =
AuthenticationFactory.createAuthenticationManager(context)
.createIntentBuilder(buildDeveloperToken(...))
.setHideStartScreen(false)
.setStartScreenMessage("i can haz ur muzik?")
.build()
(where ... is code that retrieves those three secrets from wherever you are storing them)
- Capacitor on Android fails with error: "ERR_SDK_PACKAGE_NOT_FOUND: SDK package not found by location: D:\Android_SDK_HOME\platform-tools."
- Flutter App Cant Authenticate to Google Drive API Using google_sign_in Package
- Spinner in Full Screen android app is showing status bar
- Android SDK not found for react-native
- Android: .nomedia is ignored, images still appear on the gallery
- BuildConfig not getting created correctly (Gradle Android)
- Androidx : How to test Slider in UI tests (Espresso)?
- RequiresApi vs TargetApi android annotations
- React Native, Execution failed for task ':app:mergeDexDebug'
- Request for permission (Pop - up) dialog is not showing in Android
- Reset mutableStateOf if the initial value changes - Jetpack Compose
- How to use a custom typeface in a widget?
- How NOT to create projects with Jetpack Compose using Android Studio
- Customize android app preview when it is in background with secure flag
- Viewmodels in android using mvvm and jetpackcompose
- text and icon parameters in a Tab don't allow composable invocations
- Channel vs Shared Flow what is the difference
- Android Jetpack Compose Room query depending on Flow
- Jetpack Compose how to recompose when internal state changes
- How to fix this Hilt gradle setup?
- How to use ThreeTenABP in Android Project
- Unable to load class Plugin
- How can I add .so files to an android library project using gradle 0.7+
- How to get context for Room database and initialize it correctly in Android Compose?
- How to show/hide password in TextFormField?
- How to pass List of data from NavGraph in android kotlin Android
- Firebase analytics AppMeasurement not enabled
- Why WebView doesn't render raw HTML properly?
- ':google_sign_in_android:compileDebugJavaWithJavac'
- Play Media using URL in Android using Media