Many developers know that you can easily get a MusicKit developer token from music.apple.com. Just go to the console of the browser and input "MusicKit.getInstance().developerToken".
As of now, the token is
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IldlYlBsYXlLaWQifQ.eyJpc3MiOiJBTVBXZWJQbGF5IiwiaWF0IjoxNjQ2NDM1NTgxLCJleHAiOjE2NjE5ODc1ODF9.Ob5bfZBWLDlDkR4r5fNXIjp1Y1G0qY5mP9MVBm1mDFjG701_6AcZS6nwjk-CMJE2b8VLv1JWxKR5j5BDkKxQ7w
This token is not like the one we developers generate ourselves that has many limitations. Instead, it is a privileged one that has some powerful features and is able to invoke some "private" API as follows:
Deleting users' resources (for example, DELETE method on https://amp-api.music.apple.com/v1/me/library/songs/{id})
Getting and showing lyrics
Rename playlist, reordering songs in a playlist
Many other features that music.apple.com could do but your apps couldn't
I think it's fine to use it privately and do not be evil, but Apple failed to stop people from abusing it.
I already spotted one app selling on Microsoft Apps Store(https://apps.microsoft.com/store/detail/cider-alpha/9P21XJ9D9G66) that is taking advantage of this "privileged" token.
Proofs are as follows:
fetch the privileged developer token
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L3665
removeFromLibrary
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L2254
load official AM lyrics
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L2237
They get the token for free, take the source code from music.apple.com with some modification, put it into an electron app. Then sell it and beat other competitor apps because it's more "powerful".
And this makes me a developer obeying the rules like a stupid fool because
I pay $99 for ADP to get the developer token, while they get it for free
I got a token that has limited features, while theirs are far more powerful
I already submitted it to Apple but got no response. Apple should really start to do something, otherwise It's like telling every developer that:
Stop paying $99 for ADP to get your developer token, just grab it from music.apple.com. It's free yet super powerful to call private APIs and bypass limitations.