The next step is to create an access token. The access token is valid for a limited time. The clientSecret is sent with this request; if this were an application that was given to others, keeping the secret would be a challenge to overcome:

$accessToken = Invoke-RestMethod -Uri https://accounts.spotify.com/api/token -Method POST -Body @{ 
grant_type    = 'authorization_code' 
code          = $authorizationCode 
redirect_uri  = $redirectUrl 
client_id     = $clientId 
client_secret = $clientSecret 
} 

The previous request used the HTTP method POST. The HTTP method, which should be used with a REST method, is documented in the developer guides for an interface.

Each of the requests that follow will use the access token from the previous request. The access token is placed in an HTTP header field named Authorization. The Authorization field is created using a hashtable:

$headers = @{ 
    Authorization = 'Bearer {0}' -f $accessToken.access_token 
}