Many developers know that you can easily get a MusicKit developer token from music.apple.com. Just go to the console of the browser and input "MusicKit.getInstance().developerToken".
As of now, the token is
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IldlYlBsYXlLaWQifQ.eyJpc3MiOiJBTVBXZWJQbGF5IiwiaWF0IjoxNjQ2NDM1NTgxLCJleHAiOjE2NjE5ODc1ODF9.Ob5bfZBWLDlDkR4r5fNXIjp1Y1G0qY5mP9MVBm1mDFjG701_6AcZS6nwjk-CMJE2b8VLv1JWxKR5j5BDkKxQ7w
This token is not like the one we developers generate ourselves that has many limitations. Instead, it is a privileged one that has some powerful features and is able to invoke some "private" API as follows:
- Deleting users' resources (for example, DELETE method on
https://amp-api.music.apple.com/v1/me/library/songs/{id}
) - Getting and showing lyrics
- Rename playlist, reordering songs in a playlist
- Many other features that music.apple.com could do but your apps couldn't
I think it's fine to use it privately and do not be evil, but Apple failed to stop people from abusing it.
I already spotted one app selling on Microsoft Apps Store(https://apps.microsoft.com/store/detail/cider-alpha/9P21XJ9D9G66)
that is taking advantage of this "privileged" token.
Proofs are as follows:
fetch the privileged developer token
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L3665
removeFromLibrary
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L2254
load official AM lyrics
https://github.com/ciderapp/Cider/blob/912a1816de01cbfc55e00a48f187d635d65c0e9c/src/renderer/index.js#L2237
They get the token for free, take the source code from music.apple.com with some modification, put it into an electron app. Then sell it and beat other competitor apps because it's more "powerful".
And this makes me a developer obeying the rules like a stupid fool because
- I pay $99 for ADP to get the developer token, while they get it for free
- I got a token that has limited features, while theirs are far more powerful
I already submitted it to Apple but got no response. Apple should really start to do something, otherwise It's like telling every developer that:
Stop paying $99 for ADP to get your developer token, just grab it from music.apple.com. It's free yet super powerful to call private APIs and bypass limitations.
Thank you for sharing your feedback and concerns.
The only supported way of accessing the Apple Music API is by using the method described in Getting Keys and Creating Tokens. Any other method may be blocked at any time. To ensure continued access to Apple Music from your app or website, use only the documented method to obtain a developer token.
We are also always looking to enhance the Apple Music API available to our developers, and your continued feedback—including the feedback in this post—helps drive that. Please continue to file any additional feedback about important missing functionality via Feedback Assistant.