The Pandora REST API is used by modern Pandora apps including the website and the various mobile apps provided by Pandora. The current REST API has multiple versions and not all functionality seems to be supported for each version. Released API versions are stable but new APIs are added often as the Pandora feature set evolves. The main endpoint is:

All requests are JSON-encoded and sent via HTTP POST body to the endpoints over HTTPS. Requests require a Content-Type header of application/json. Response bodies are JSON-encoded values. Unlike the JSON v5 API there is no requirement for time syncronization, Blowfish cryptography, or partner logins.

Auth Token

All requests except for login require an X-AuthToken header which contains the auth token obtained during login. It is acceptable to include the X-AuthToken header with an empty value during login.

POST /api/v1/station/getStations HTTP/1.1
Content-Type: application/json;charset=utf-8
X-CsrfToken: 123456a7889b1c23
X-AuthToken: dGhpcyBpcyBqdXN0IGFuIGV4YW1wbGUgY29kZQo=

{ "pageSize": 250 }


Error conditions are indicated by a combination of HTTP status code and a JSON response body. Any responses with a 200 status code are successful.

    "errorCode": 0,
    "errorString": "INVALID_REQUEST",
    "message": "The request could not be validated"