The current JSON API version is 5. Two different endpoints are available:

Unless noted otherwise JSON-encoded requests sent by the client within the HTTP POST body are encrypted using Blowfish ECB and converted to hexadecimal notation with lowercase letters.

These URL parameters must be appended to the endpoint above if available:

Name Description
method Method name
auth_token User auth token if available, partner auth token or empty if neither is known yet.
partner_id Partner id obtained by Partner login or empty
user_id User id as obtained by User login or empty

For instance when calling User login two parameters are known: method and partner_id. The URL in this case would be http://tuner.pandora.com/services/json/?method=auth.userLogin&partner_id=123. Make sure you URL encode the parameter’s values.

The following values must be present in every JSON request object (if available):

Name Type Description
userAuthToken string User auth token, see User login
syncTime int Synchonized time. Calculation: current time + (time of Partner login request – syncTime from Partner login response). This is a protection against replay-attacks.

Every response includes the key stat which indicates success (ok) or failure (fail) of the resquest. Failed requests contain an error code and message whereas successful requests carry actual response data in the key result:

    "stat": "ok",
    "result": {
    "stat": "fail",
    "message": "An unexpected error occurred",
    "code": 1008