• Getting Access
  • initial access
  • calling the API
  • refresh tokens
  • revoke/regenerate your client
• Account API
• Sales Report API
• Merch Orders API

Getting Access

Labels and merchandise fulfillment partners can interact with their accounts via the Bandcamp API. To register for API use, contact us, and include in your email a brief description of how you intend to use API access.

Calls to all Bandcamp APIs use OAuth 2.0 for authentication. Once a client has been created for you, you'll find your client ID and client secret by going to the API Access tab of your Settings page.

initial access

Once you have your client id and client secret, you can call for access tokens using the following endpoint:

https://bandcamp.com/oauth_token

This call should be a POST containing form data for three fields: client_id, client_secret, and grant_type. For example:

curl --request POST --url 'https://bandcamp.com/oauth_token' --data 'grant_type=client_credentials' --data-urlencode 'client_id=29' --data-urlencode 'client_secret=CuBFGlv2DGUrAJr%2BrTAcKMcwv9Se0lK4fBxxvM0pusU3D'

The results should look like this:

{
    "expires_in": 3600,
    "access_token": "2070894093.29.1458295960.aNQUQ8NGw7muoLtRv5OBrgmk368=",
    "refresh_token": "105.1.8veJaT3rdrwLU3gHqcnrrm513dY=",
    "ok": true,
    "token_type": "bearer"
}

calling the api

You can use your access token to securely call the API endpoints until it expires, by adding an 'Authorization' header to your calls containing the access token. For example:

Authorization: Bearer 2070894093.29.1458295960.aNQUQ8NGw7muoLtRv5OBrgmk368=

refresh tokens

Access tokens expire in one hour. When this happens you can use the refresh token to get a new access token by calling the oauth_token endpoint. This call should be a POST containing URL encoded form data for four fields: client_id, client_secret, refresh_token, and grant_type. For example:

curl --request POST --url 'https://bandcamp.com/oauth_token' --data 'grant_type=refresh_token' --data-urlencode 'client_id=29' --data-urlencode 'client_secret=CuBFGlv2DGUrAJr%2BrTAcKMcwv9Se0lK4fBxxvM0pusU3D' --data-urlencode 'refresh_token=105.1.8veJaT3rdrwLU3gHqcnrrm513dY'

revoke/regenerate your client

If you call the oauth token endpoint twice with the grant type "client_credentials", you may get a 401 error, and see results like this:

{
    "error_description": "client 29 has multiple active grants",
    "error": "duplicate_grant"
}

If you have your current refresh token, use that to get a new access token.

If you've lost your refresh token, or you think your client credentials have been compromised, you can revoke and regenerate your client data either on the 'API Access' tab of your settings page, if you have label or band account(s), or at the top of your partners page if you have a partner account. Once you have new client data you can try the call again with grant_type "client_credentials".