Authentication

Authentication is divided into two steps: Partner and user login.

Check licensing

Method:test.checkLicensing

Check whether Pandora is available in the connecting client’s country, based on geoip database. This is not strictly required since Partner login enforces this restriction. The request has no parameters.

Name Type Description
isAllowed bool  

Partner login

Method:auth.partnerLogin

This request additionally serves as API version validation, time synchronization and endpoint detection and must be sent over a TLS-encrypted link. The POST body however is not encrypted.

Name Type Description
username string See Partner passwords
password string See Partner passwords
deviceModel string See Partner passwords
version string Current version number, “5”.
includeUrls boolean  
returnDeviceType boolean  
returnUpdatePromptVersions boolean  
{
    "username": "pandora one",
    "password": "TVCKIBGS9AO9TSYLNNFUML0743LH82D",
    "deviceModel": "D01",
    "version": "5"
}

syncTime is used to calculate the server time, see synctime. partnerId and authToken are required to procceed with user authentication.

Name Type Description
syncTime string Hex-encoded, encrypted server time. Decrypt with password from Partner passwords and skip first four bytes of garbage.
partnerAuthToken string  
partnerId string  
{
    "stat": "ok",
    "result": {
        "syncTime": "6923e263a8c3ac690646146b50065f43",
        "deviceProperties": {
            "videoAdRefreshInterval": 900,
            "videoAdUniqueInterval": 0,
            "adRefreshInterval": 5,
            "videoAdStartInterval": 180
        },
        "partnerAuthToken": "VAzrFQTtsy3BQ3K+3iqFi0WF5HA63B1nFA",
        "partnerId": "42",
        "stationSkipUnit": "hour",
        "urls": {
            "autoComplete": "http://autocomplete.pandora.com/search"
        },
        "stationSkipLimit": 6
    }
}
Code Description
1002 INVALID_PARTNER_LOGIN. Invalid partner credentials.

User login

Method:auth.userLogin

This request must be sent over a TLS-encrypted link. It authenticates the Pandora user by sending his username, usually his email address, and password as well as the partnerAuthToken obtained by Partner login.

Additional response data can be requested by setting flags listed below.

Name Type Description
loginType string “user”
username string Username
password string User’s password
partnerAuthToken string Partner token obtained by Partner login
returnGenreStations boolean (optional)
returnCapped boolean return isCapped parameter (optional)
includePandoraOneInfo boolean (optional)
includeDemographics boolean (optional)
includeAdAttributes boolean (optional)
returnStationList boolean Return station list, see Retrieve station list (optional)
includeStationArtUrl boolean (optional)
includeStationSeeds boolean (optional)
includeShuffleInsteadOfQuickMix boolean (optional)
stationArtSize string W130H130(optional)
returnCollectTrackLifetimeStats boolean (optional)
returnIsSubscriber boolean (optional)
xplatformAdCapable boolean (optional)
complimentarySponsorSupported boolean (optional)
includeSubscriptionExpiration boolean (optional)
returnHasUsedTrial boolean (optional)
returnUserstate boolean (optional)
includeAccountMessage boolean (optional)
includeUserWebname boolean (optional)
includeListeningHours boolean (optional)
includeFacebook boolean (optional)
includeTwitter boolean (optional)
includeDailySkipLimit boolean (optional)
includeSkipDelay boolean (optional)
includeGoogleplay boolean (optional)
includeShowUserRecommendations boolean (optional)
includeAdvertiserAttributes boolean (optional)
{
    "loginType": "user",
    "username": "user@example.com",
    "password": "example",
    "partnerAuthToken": "VAzrFQTtsy3BQ3K+3iqFi0WF5HA63B1nFA",
    "includePandoraOneInfo":true,
    "includeAdAttributes":true,
    "includeSubscriptionExpiration":true,
    "includeStationArtUrl":true,
    "returnStationList":true,
    "returnGenreStations":true,
    "syncTime": 1335777573
}

The returned userAuthToken is used to authenticate access to other API methods.

Name Type Description
isCapped boolean  
userAuthToken string  
{
    "stat": "ok",
    "result": {
        "stationCreationAdUrl": "http://ad.doubleclick.net/adx/pand.android/prod.createstation;ag=112;gnd=1;zip=23950;genre=0;model=;app=;OS=;dma=560;clean=0;logon=__LOGON__;tile=1;msa=115;st=VA;co=51117;et=0;mc=0;aa=0;hisp=0;hhi=0;u=l*2jedvn446s7ce!ag*112!gnd*1!zip*23950!dma*560!clean*0!logon*__LOGON__!msa*115!st*VA!co*51117!et*0!mc*0!aa*0!hisp*0!hhi*0!genre*0;sz=320x50;ord=__CACHEBUST__",
        "hasAudioAds": true,
        "splashScreenAdUrl": "http://ad.doubleclick.net/pfadx/pand.android/prod.welcome;ag=112;gnd=1;zip=23950;model=;app=;OS=;dma=560;clean=0;hours=1;msa=115;st=VA;co=51117;et=0;mc=0;aa=0;hisp=0;hhi=0;u=l*op4jfgdxmddjk!ag*112!gnd*1!zip*23950!dma*560!clean*0!msa*115!st*VA!co*51117!et*0!mc*0!aa*0!hisp*0!hhi*0!hours*1;sz=320x50;ord=__CACHEBUST__",
        "videoAdUrl": "http://ad.doubleclick.net/pfadx/pand.android/prod.nowplaying;ag=112;gnd=1;zip=23950;dma=560;clean=0;hours=1;app=;index=__INDEX__;msa=115;st=VA;co=51117;et=0;mc=0;aa=0;hisp=0;hhi=0;u=l*2jedvn446s7ce!ag*112!gnd*1!zip*23950!dma*560!clean*0!index*__INDEX__!msa*115!st*VA!co*51117!et*0!mc*0!aa*0!hisp*0!hhi*0!hours*1;sz=442x188;ord=__CACHEBUST__",
        "username": "user@example.com",
        "canListen": true,
        "nowPlayingAdUrl": "http://ad.doubleclick.net/pfadx/pand.android/prod.nowplaying;ag=112;gnd=1;zip=23950;genre=0;station={4};model=;app=;OS=;dma=560;clean=0;hours=1;artist=;interaction=__INTERACTION__;index=__INDEX__;newUser=__AFTERREG__;logon=__LOGON__;msa=115;st=VA;co=51117;et=0;mc=0;aa=0;hisp=0;hhi=0;u=l*op4jfgdxmddjk!ag*112!gnd*1!zip*23950!station*{4}!dma*560!clean*0!index*__INDEX__!newUser*__AFTERREG__!logon*__LOGON__!msa*115!st*VA!co*51117!et*0!mc*0!aa*0!hisp*0!hhi*0!genre*0!interaction*__INTERACTION__!hours*1;sz=320x50;ord=__CACHEBUST__",
        "userId": "272772589",
        "listeningTimeoutMinutes": "180",
        "maxStationsAllowed": 100,
        "listeningTimeoutAlertMsgUri": "/mobile/still_listening.vm",
        "userProfileUrl": "https://www.pandora.com/login?auth_token=XXX&target=%2Fpeople%2FXXX",
        "minimumAdRefreshInterval": 5,
        "userAuthToken": "XXX"
    }
}
Code Description
1002 Wrong user credentials.