spotify-monitor 2.0rc1__py3-none-any.whl → 2.1__py3-none-any.whl

spotify_monitor.py

@@ -1,7 +1,7 @@
 #!/usr/bin/env python3
 """
 Author: Michal Szymanski <misiektoja-github@rm-rf.ninja>
-v2.0
+v2.1
 
 Tool implementing real-time tracking of Spotify friends music activity:
 https://github.com/misiektoja/spotify_monitor/
@@ -11,20 +11,30 @@ Python pip3 requirements:
 requests
 python-dateutil
 urllib3
-pyotp
+pyotp (needed when the token source is set to cookie)
 python-dotenv (optional)
 """
 
-VERSION = "2.0"
+VERSION = "2.1"
 
 # ---------------------------
 # CONFIGURATION SECTION START
 # ---------------------------
 
 CONFIG_BLOCK = """
+# Select the method used to obtain the Spotify access token
+# Available options:
+#   cookie  - uses the sp_dc cookie to retrieve a token via the Spotify web endpoint (recommended)
+#   client  - uses captured credentials from the Spotify desktop client and a Protobuf-based login flow (for advanced users)
+TOKEN_SOURCE = "cookie"
+
+# ------------------------------------------------
+
+# The section below is used when the token source is set to 'cookie'
+# (to configure the alternative 'client' method, see the section at the end of this config block)
+#
 # Log in to Spotify web client (https://open.spotify.com/) and retrieve your sp_dc cookie
 # Use your web browser's dev console or "Cookie-Editor" by cgagnier to extract it easily: https://cookie-editor.com/
-# The sp_dc cookie is typically valid for up to 2 weeks
 #
 # Provide the SP_DC_COOKIE secret using one of the following methods:
 #   - Pass it at runtime with -u / --spotify-dc-cookie
@@ -34,6 +44,8 @@ CONFIG_BLOCK = """
 #   - Hard-code it in the code or config file
 SP_DC_COOKIE = "your_sp_dc_cookie_value"
 
+# ------------------------------------------------
+
 # SMTP settings for sending email notifications
 # If left as-is, no notifications will be sent
 #
@@ -199,11 +211,93 @@ CLEAR_SCREEN = True
 # Value added/subtracted via signal handlers to adjust inactivity timeout (SPOTIFY_INACTIVITY_CHECK); in seconds
 SPOTIFY_INACTIVITY_CHECK_SIGNAL_VALUE = 30  # 30 seconds
 
-# Maximum number of attempts to get a valid access token in a single run of the spotify_get_access_token() function
+# Maximum number of attempts to get a valid access token in a single run of the spotify_get_access_token_from_sp_dc() function
+# Used only when the token source is set to 'cookie'
 TOKEN_MAX_RETRIES = 10
 
 # Interval between access token retry attempts; in seconds
+# Used only when the token source is set to 'cookie'
 TOKEN_RETRY_TIMEOUT = 0.5  # 0.5 second
+
+# ------------------------------------------------
+# The section below is used when the token source is set to 'client'
+#
+# To extract device_id, system_id, user_uri_id and refresh_token from binary login request Protobuf file:
+#
+# - run an intercepting proxy of your choice (like Proxyman)
+# - launch the Spotify desktop client and look for requests to: https://login{n}.spotify.com/v3/login
+#   note: the 'login' part is suffixed with one or more digits
+# - export the login request body (a binary Protobuf payload) to a file
+#   (e.g. in Proxyman: right click the request -> Export -> Request Body -> Save File -> <login-request-body-file>)
+#
+# Can also be set using the -w flag
+LOGIN_REQUEST_BODY_FILE = ""
+
+# Alternatively, set the configuration options below manually
+#
+# For the binary login request Protobuf body, if your proxy supports Protobuf decoding, extract:
+#   - DEVICE_ID
+#   - SYSTEM_ID
+#   - USER_URI_ID
+#   - REFRESH_TOKEN
+# and assign them to respective configuration options
+#
+# Alternatively, you can use protoc tool (part of Protobuf pip package) to decode the binary:
+#   protoc --decode_raw < <path-to-login-request-body-file>
+#
+# If you decided to set the configuration options manually, it is recommended to provide the REFRESH_TOKEN
+# secret using one of the following methods:
+#   - Set it as an environment variable (e.g. export REFRESH_TOKEN=...)
+#   - Add it to ".env" file (REFRESH_TOKEN=...) for persistent use
+# Fallback:
+#   - Hard-code it in the code or config file
+DEVICE_ID = "your_spotify_app_device_id"
+SYSTEM_ID = "your_spotify_app_system_id"
+USER_URI_ID = "your_spotify_user_uri_id"
+REFRESH_TOKEN = "your_spotify_app_refresh_token"
+
+# Default values below are typically fine - only modify if necessary
+
+# Spotify login URL
+LOGIN_URL = "https://login5.spotify.com/v3/login"
+
+# Spotify client token URL
+CLIENTTOKEN_URL = "https://clienttoken.spotify.com/v1/clienttoken"
+
+# Optional: specify user agent manually, some examples:
+#
+# Spotify/126200580 Win32_x86_64/0 (PC desktop)
+# Spotify/126400408 OSX_ARM64/OS X 15.5.0 [arm 2]
+#
+# Leave empty to auto-generate it randomly
+USER_AGENT = ""
+
+# Optional: specify app version manually (e.g. '1.2.62.580.g7e3d9a4f')
+# Leave empty to auto-generate from USER_AGENT
+APP_VERSION = ""
+
+# Platform-specific values for token generation, typically leave unchanged
+# You can also extract these from a captured client token request Protobuf file (see below)
+CPU_ARCH = 10
+OS_BUILD = 19045
+PLATFORM = 2
+OS_MAJOR = 9
+OS_MINOR = 9
+CLIENT_MODEL = 34404
+
+# Optional: to extract app_version, cpu_arch, os_build, platform, os_major, os_minor and client_model from
+# binary client token request Protobuf file:
+#
+# - run an intercepting proxy of your choice (like Proxyman)
+# - launch the Spotify desktop client and look for requests to: https://clienttoken.spotify.com/v1/clienttoken
+#   (these requests are sent every time client token expires, usually every 2 weeks)
+# - export the client token request body (a binary Protobuf payload) to a file
+#   (e.g. in Proxyman: right click the request -> Export -> Request Body -> Save File -> <clienttoken-request-body-file>)
+#
+# Can also be set via the -z flag
+CLIENTTOKEN_REQUEST_BODY_FILE = ""
+
+# ------------------------------------------------
 """
 
 # -------------------------
@@ -212,7 +306,24 @@ TOKEN_RETRY_TIMEOUT = 0.5  # 0.5 second
 
 # Default dummy values so linters shut up
 # Do not change values below - modify them in the configuration section or config file instead
+TOKEN_SOURCE = ""
 SP_DC_COOKIE = ""
+LOGIN_REQUEST_BODY_FILE = ""
+CLIENTTOKEN_REQUEST_BODY_FILE = ""
+LOGIN_URL = ""
+USER_AGENT = ""
+DEVICE_ID = ""
+SYSTEM_ID = ""
+USER_URI_ID = ""
+REFRESH_TOKEN = ""
+CLIENTTOKEN_URL = ""
+APP_VERSION = ""
+CPU_ARCH = 0
+OS_BUILD = 0
+PLATFORM = 0
+OS_MAJOR = 0
+OS_MINOR = 0
+CLIENT_MODEL = 0
 SMTP_HOST = ""
 SMTP_PORT = 0
 SMTP_USER = ""
@@ -264,18 +375,23 @@ exec(CONFIG_BLOCK, globals())
 DEFAULT_CONFIG_FILENAME = "spotify_monitor.conf"
 
 # List of secret keys to load from env/config
-SECRET_KEYS = ("SP_DC_COOKIE", "SMTP_PASSWORD")
+SECRET_KEYS = ("REFRESH_TOKEN", "SP_DC_COOKIE", "SMTP_PASSWORD")
 
 # Strings removed from track names for generating proper Genius search URLs
 re_search_str = r'remaster|extended|original mix|remix|original soundtrack|radio( |-)edit|\(feat\.|( \(.*version\))|( - .*version)'
 re_replace_str = r'( - (\d*)( )*remaster$)|( - (\d*)( )*remastered( version)*( \d*)*.*$)|( \((\d*)( )*remaster\)$)|( - (\d+) - remaster$)|( - extended$)|( - extended mix$)|( - (.*); extended mix$)|( - extended version$)|( - (.*) remix$)|( - remix$)|( - remixed by .*$)|( - original mix$)|( - .*original soundtrack$)|( - .*radio( |-)edit$)|( \(feat\. .*\)$)|( \(\d+.*Remaster.*\)$)|( \(.*Version\))|( - .*version)'
 
-# Default value for network-related timeouts in functions
+# Default value for network-related timeouts in functions; in seconds
 FUNCTION_TIMEOUT = 15
 
-# Variables for caching functionality of the Spotify access token to avoid unnecessary refreshing
+# Default value for alarm signal handler timeout; in seconds
+ALARM_TIMEOUT = 15
+ALARM_RETRY = 10
+
+# Variables for caching functionality of the Spotify access and refresh token to avoid unnecessary refreshing
 SP_CACHED_ACCESS_TOKEN = None
-SP_TOKEN_EXPIRES_AT = 0
+SP_CACHED_REFRESH_TOKEN = None
+SP_ACCESS_TOKEN_EXPIRES_AT = 0
 SP_CACHED_CLIENT_ID = ""
 SP_CACHED_USER_AGENT = ""
 
@@ -285,9 +401,9 @@ TOKEN_URL = "https://open.spotify.com/get_access_token"
 # URL of the endpoint to get server time needed to create TOTP object
 SERVER_TIME_URL = "https://open.spotify.com/server-time"
 
-# Default value for alarm signal handler timeout; in seconds
-ALARM_TIMEOUT = int((TOKEN_MAX_RETRIES * TOKEN_RETRY_TIMEOUT) + 5)
-ALARM_RETRY = 10
+# Variables for caching functionality of the Spotify client token to avoid unnecessary refreshing
+SP_CACHED_CLIENT_TOKEN = None
+SP_CLIENT_TOKEN_EXPIRES_AT = 0
 
 LIVENESS_CHECK_COUNTER = LIVENESS_CHECK_INTERVAL / SPOTIFY_CHECK_INTERVAL
 
@@ -323,20 +439,18 @@ from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText
 import argparse
 import csv
-from urllib.parse import quote_plus, quote
+from urllib.parse import quote_plus, quote, urlparse
 import subprocess
 import platform
 import re
 import ipaddress
 from html import escape
-try:
-    import pyotp
-except ModuleNotFoundError:
-    raise SystemExit("Error: Couldn't find the pyotp library !\n\nTo install it, run:\n    pip3 install pyotp\n\nOnce installed, re-run this tool")
 import base64
 import random
 import shutil
 from pathlib import Path
+import secrets
+from typing import Optional
 
 import urllib3
 if not VERIFY_SSL:
@@ -536,7 +650,7 @@ def send_email(subject, body, body_html, use_ssl, smtp_timeout=15):
         return 1
 
     if not SMTP_USER or not isinstance(SMTP_USER, str) or SMTP_USER == "your_smtp_user" or not SMTP_PASSWORD or not isinstance(SMTP_PASSWORD, str) or SMTP_PASSWORD == "your_smtp_password":
-        print("Error sending email - SMTP settings are incorrect (check SMTP_USER & SMTP_PASSWORD variables)")
+        print("Error sending email - SMTP settings are incorrect (check SMTP_USER & SMTP_PASSWORD configuration options)")
         return 1
 
     if not subject or not isinstance(subject, str):
@@ -772,10 +886,16 @@ def decrease_inactivity_check_signal_handler(sig, frame):
     print_cur_ts("Timestamp:\t\t\t")
 
 
-# Signal handler for SIGHUP allowing to reload secrets from .env
+# Signal handler for SIGHUP allowing to reload secrets from dotenv files and token source credentials
+# from login & client token requests body files
 def reload_secrets_signal_handler(sig, frame):
+    global DEVICE_ID, SYSTEM_ID, USER_URI_ID, REFRESH_TOKEN, LOGIN_URL, USER_AGENT, APP_VERSION, CPU_ARCH, OS_BUILD, PLATFORM, OS_MAJOR, OS_MINOR, CLIENT_MODEL
+
     sig_name = signal.Signals(sig).name
-    print(f"* Signal {sig_name} received")
+
+    print(f"* Signal {sig_name} received\n")
+
+    suffix = "\n" if TOKEN_SOURCE == 'client' else ""
 
     # disable autoscan if DOTENV_FILE set to none
     if DOTENV_FILE and DOTENV_FILE.lower() == 'none':
@@ -791,10 +911,10 @@ def reload_secrets_signal_handler(sig, frame):
             if env_path:
                 load_dotenv(env_path, override=True)
             else:
-                print("* No .env file found, skipping env-var reload")
+                print(f"* No .env file found, skipping env-var reload{suffix}")
         except ImportError:
             env_path = None
-            print("* python-dotenv not installed, skipping env-var reload")
+            print(f"* python-dotenv not installed, skipping env-var reload{suffix}")
 
     if env_path:
         for secret in SECRET_KEYS:
@@ -802,12 +922,49 @@ def reload_secrets_signal_handler(sig, frame):
             val = os.getenv(secret)
             if val is not None and val != old_val:
                 globals()[secret] = val
-                print(f"* Reloaded {secret} from {env_path}")
+                print(f"* Reloaded {secret} from {env_path}{suffix}")
+
+    if TOKEN_SOURCE == 'client':
+
+        # Process the login request body file
+        if LOGIN_REQUEST_BODY_FILE:
+            if os.path.isfile(LOGIN_REQUEST_BODY_FILE):
+                try:
+                    DEVICE_ID, SYSTEM_ID, USER_URI_ID, REFRESH_TOKEN = parse_request_body_file(LOGIN_REQUEST_BODY_FILE)
+                except Exception as e:
+                    print(f"* Error: Protobuf file ({LOGIN_REQUEST_BODY_FILE}) cannot be processed: {e}")
+                else:
+                    print(f"* Login data correctly read from Protobuf file ({LOGIN_REQUEST_BODY_FILE}):")
+                    print(" - Device ID:\t\t", DEVICE_ID)
+                    print(" - System ID:\t\t", SYSTEM_ID)
+                    print(" - User URI ID:\t\t", USER_URI_ID)
+                    print(" - Refresh Token:\t<<hidden>>\n")
+            else:
+                print(f"* Error: Protobuf file ({LOGIN_REQUEST_BODY_FILE}) does not exist")
+
+        # Process the client token request body file
+        if CLIENTTOKEN_REQUEST_BODY_FILE:
+            if os.path.isfile(CLIENTTOKEN_REQUEST_BODY_FILE):
+                try:
+                    (APP_VERSION, _, _, CPU_ARCH, OS_BUILD, PLATFORM, OS_MAJOR, OS_MINOR, CLIENT_MODEL) = parse_clienttoken_request_body_file(CLIENTTOKEN_REQUEST_BODY_FILE)
+                except Exception as e:
+                    print(f"* Error: Protobuf file ({CLIENTTOKEN_REQUEST_BODY_FILE}) cannot be processed: {e}")
+                else:
+                    print(f"* Client token data correctly read from Protobuf file ({CLIENTTOKEN_REQUEST_BODY_FILE}):")
+                    print(" - App version:\t\t", APP_VERSION)
+                    print(" - CPU arch:\t\t", CPU_ARCH)
+                    print(" - OS build:\t\t", OS_BUILD)
+                    print(" - Platform:\t\t", PLATFORM)
+                    print(" - OS major:\t\t", OS_MAJOR)
+                    print(" - OS minor:\t\t", OS_MINOR)
+                    print(" - Client model:\t", CLIENT_MODEL, "\n")
+            else:
+                print(f"* Error: Protobuf file ({CLIENTTOKEN_REQUEST_BODY_FILE}) does not exist")
 
     print_cur_ts("Timestamp:\t\t\t")
 
 
-# Prepares Apple & Genius search URLs for specified track
+# Returns Apple & Genius search URLs for specified track
 def get_apple_genius_search_urls(artist, track):
     genius_search_string = f"{artist} {track}"
     youtube_music_search_string = quote_plus(f"{artist} {track}")
@@ -820,6 +977,35 @@ def get_apple_genius_search_urls(artist, track):
     return apple_search_url, genius_search_url, youtube_music_search_url
 
 
+# Sends a lightweight request to check Spotify token validity
+def check_token_validity(access_token: str, client_id: Optional[str] = None, user_agent: Optional[str] = None) -> bool:
+    url = "https://api.spotify.com/v1/me"
+    headers = {"Authorization": f"Bearer {access_token}"}
+
+    if TOKEN_SOURCE == "cookie" and client_id is not None and user_agent is not None:
+        headers.update({
+            "Client-Id": client_id,
+            "User-Agent": user_agent,
+        })
+
+    if platform.system() != 'Windows':
+        signal.signal(signal.SIGALRM, timeout_handler)
+        signal.alarm(FUNCTION_TIMEOUT + 2)
+    try:
+        response = req.get(url, headers=headers, timeout=FUNCTION_TIMEOUT, verify=VERIFY_SSL)
+        valid = response.status_code == 200
+    except Exception:
+        valid = False
+    finally:
+        if platform.system() != 'Windows':
+            signal.alarm(0)
+    return valid
+
+
+# -------------------------------------------------------
+# Supporting functions when token source is set to cookie
+# -------------------------------------------------------
+
 # Returns random user agent string
 def get_random_user_agent() -> str:
     browser = random.choice(['chrome', 'firefox', 'edge', 'safari'])
@@ -909,6 +1095,8 @@ def hex_to_bytes(data: str) -> bytes:
 
 # Creates a TOTP object using a secret derived from transformed cipher bytes
 def generate_totp(ua: str):
+    import pyotp
+
     secret_cipher_bytes = [
         12, 56, 76, 33, 88, 44, 88, 33,
         78, 78, 11, 66, 22, 22, 55, 69, 54,
@@ -951,29 +1139,6 @@ def generate_totp(ua: str):
     return totp_obj, server_time
 
 
-# Sends a lightweight request to check Spotify token validity
-def check_token_validity(token: str, client_id: str, user_agent: str) -> bool:
-    url = "https://api.spotify.com/v1/me"
-    headers = {
-        "Authorization": f"Bearer {token}",
-        "Client-Id": client_id,
-        "User-Agent": user_agent,
-    }
-
-    if platform.system() != 'Windows':
-        signal.signal(signal.SIGALRM, timeout_handler)
-        signal.alarm(FUNCTION_TIMEOUT + 2)
-    try:
-        response = req.get(url, headers=headers, timeout=FUNCTION_TIMEOUT, verify=VERIFY_SSL)
-        valid = response.status_code == 200
-    except Exception:
-        valid = False
-    finally:
-        if platform.system() != 'Windows':
-            signal.alarm(0)
-    return valid
-
-
 # Retrieves a new Spotify access token using the sp_dc cookie, tries first with mode "transport" and if needed with "init"
 def refresh_token(sp_dc: str) -> dict:
     transport = True
@@ -1052,12 +1217,12 @@ def refresh_token(sp_dc: str) -> dict:
 
 
 # Fetches Spotify access token based on provided SP_DC value
-def spotify_get_access_token(sp_dc: str):
-    global SP_CACHED_ACCESS_TOKEN, SP_TOKEN_EXPIRES_AT, SP_CACHED_CLIENT_ID, SP_CACHED_USER_AGENT
+def spotify_get_access_token_from_sp_dc(sp_dc: str):
+    global SP_CACHED_ACCESS_TOKEN, SP_ACCESS_TOKEN_EXPIRES_AT, SP_CACHED_CLIENT_ID, SP_CACHED_USER_AGENT
 
     now = time.time()
 
-    if SP_CACHED_ACCESS_TOKEN and now < SP_TOKEN_EXPIRES_AT and check_token_validity(SP_CACHED_ACCESS_TOKEN, SP_CACHED_CLIENT_ID, SP_CACHED_USER_AGENT):
+    if SP_CACHED_ACCESS_TOKEN and now < SP_ACCESS_TOKEN_EXPIRES_AT and check_token_validity(SP_CACHED_ACCESS_TOKEN, SP_CACHED_CLIENT_ID, SP_CACHED_USER_AGENT):
         return SP_CACHED_ACCESS_TOKEN
 
     max_retries = TOKEN_MAX_RETRIES
@@ -1071,7 +1236,7 @@ def spotify_get_access_token(sp_dc: str):
         length = token_data["length"]
 
         SP_CACHED_ACCESS_TOKEN = token
-        SP_TOKEN_EXPIRES_AT = token_data["expires_at"]
+        SP_ACCESS_TOKEN_EXPIRES_AT = token_data["expires_at"]
         SP_CACHED_CLIENT_ID = client_id
         SP_CACHED_USER_AGENT = user_agent
 
@@ -1096,14 +1261,493 @@ def spotify_get_access_token(sp_dc: str):
     return SP_CACHED_ACCESS_TOKEN
 
 
+# -------------------------------------------------------
+# Supporting functions when token source is set to client
+# -------------------------------------------------------
+
+# Returns random Spotify client user agent string
+def get_random_spotify_user_agent() -> str:
+    os_choice = random.choice(['windows', 'mac', 'linux'])
+
+    if os_choice == 'windows':
+        build = random.randint(120000000, 130000000)
+        arch = random.choice(['Win32', 'Win32_x86_64'])
+        device = random.choice(['desktop', 'laptop'])
+        return f"Spotify/{build} {arch}/0 (PC {device})"
+
+    elif os_choice == 'mac':
+        build = random.randint(120000000, 130000000)
+        arch = random.choice(['OSX_ARM64', 'OSX_X86_64'])
+        major = random.randint(10, 15)
+        minor = random.randint(0, 7)
+        patch = random.randint(0, 5)
+        os_version = f"OS X {major}.{minor}.{patch}"
+        if arch == 'OSX_ARM64':
+            bracket = f"[arm {random.randint(1, 3)}]"
+        else:
+            bracket = "[x86_64]"
+        return f"Spotify/{build} {arch}/{os_version} {bracket}"
+
+    else:  # linux
+        build = random.randint(120000000, 130000000)
+        arch = random.choice(['Linux; x86_64', 'Linux; x86'])
+        return f"Spotify/{build} ({arch})"
+
+
+# Encodes an integer using Protobuf varint format
+def encode_varint(value):
+    result = bytearray()
+    while value > 0x7F:
+        result.append((value & 0x7F) | 0x80)
+        value //= 128
+    result.append(value)
+    return bytes(result)
+
+
+# Encodes a string field with the given tag
+def encode_string_field(tag, value):
+    key = encode_varint((tag << 3) | 2)  # wire type 2 (length-delimited)
+    value_bytes = value.encode('utf-8')
+    length = encode_varint(len(value_bytes))
+    return key + length + value_bytes
+
+
+# Encodes a nested message field with the given tag
+def encode_nested_field(tag, nested_bytes):
+    key = encode_varint((tag << 3) | 2)
+    length = encode_varint(len(nested_bytes))
+    return key + length + nested_bytes
+
+
+# Builds the Spotify Protobuf login request body
+def build_spotify_auth_protobuf(device_id, system_id, user_uri_id, refresh_token):
+    """
+    1 {
+      1: "device_id"
+      2: "system_id"
+    }
+    100 {
+      1: "user_uri_id"
+      2: "refresh_token"
+    }
+    """
+    device_info_msg = encode_string_field(1, device_id) + encode_string_field(2, system_id)
+    field_device_info = encode_nested_field(1, device_info_msg)
+
+    user_auth_msg = encode_string_field(1, user_uri_id) + encode_string_field(2, refresh_token)
+    field_user_auth = encode_nested_field(100, user_auth_msg)
+
+    return field_device_info + field_user_auth
+
+
+# Reads a varint from data starting at index
+def read_varint(data, index):
+    shift = 0
+    result = 0
+    bytes_read = 0
+    while True:
+        b = data[index]
+        result |= ((b & 0x7F) << shift)
+        bytes_read += 1
+        index += 1
+        if not (b & 0x80):
+            break
+        shift += 7
+    return result, bytes_read
+
+
+# Parses Spotify Protobuf login response
+def parse_protobuf_message(data):
+    """
+    Recursively parses a Protobuf message, returns a dictionary mapping tags to values
+
+    If a length-delimited field's first byte is a control character (i.e. < 0x20), we assume it is a nested message
+    and parse it recursively, otherwise we decode it as UTF-8
+    """
+    index = 0
+    result = {}
+    while index < len(data):
+        try:
+            key, key_len = read_varint(data, index)
+        except IndexError:
+            break
+        index += key_len
+        tag = key >> 3
+        wire_type = key & 0x07
+        if wire_type == 2:  # length-delimited
+            length, len_len = read_varint(data, index)
+            index += len_len
+            raw_value = data[index:index + length]
+            index += length
+            # If the first byte is a control character (e.g. 0x0A) assume nested
+            if raw_value and raw_value[0] < 0x20:
+                value = parse_protobuf_message(raw_value)
+            else:
+                try:
+                    value = raw_value.decode('utf-8')
+                except UnicodeDecodeError:
+                    value = raw_value
+            result[tag] = value
+        elif wire_type == 0:  # varint
+            value, var_len = read_varint(data, index)
+            index += var_len
+            result[tag] = value
+        else:
+            break
+    return result  # dictionary mapping tags to values
+
+
+# Parses the Protobuf-encoded login request body file (as dumped for example by Proxyman) and returns a tuple:
+# (device_id, system_id, user_uri_id, refresh_token)
+def parse_request_body_file(file_path):
+    """
+    Expected structure:
+    {
+      1: {
+           1: "device_id",
+           2: "system_id"
+         },
+      100: {
+           1: "user_uri_id",
+           2: "refresh_token"
+         }
+    }
+    """
+    with open(file_path, "rb") as f:
+        data = f.read()
+    parsed = parse_protobuf_message(data)
+
+    device_id = None
+    system_id = None
+    user_uri_id = None
+    refresh_token = None
+
+    if 1 in parsed:
+        device_info = parsed[1]
+        if isinstance(device_info, dict):
+            device_id = device_info.get(1)
+            system_id = device_info.get(2)
+        else:
+            pass
+
+    if 100 in parsed:
+        user_auth = parsed[100]
+        if isinstance(user_auth, dict):
+            user_uri_id = user_auth.get(1)
+            refresh_token = user_auth.get(2)
+
+    protobuf_fields = {
+        "device_id": device_id,
+        "system_id": system_id,
+        "user_uri_id": user_uri_id,
+        "refresh_token": refresh_token,
+    }
+
+    protobuf_missing_fields = [name for name, value in protobuf_fields.items() if value is None]
+
+    if protobuf_missing_fields:
+        missing_str = ", ".join(protobuf_missing_fields)
+        raise Exception(f"Following fields could not be extracted: {missing_str}")
+
+    return device_id, system_id, user_uri_id, refresh_token
+
+
+# Recursively flattens nested dictionaries or lists into a single string
+def deep_flatten(value):
+    if isinstance(value, dict):
+        return "".join(deep_flatten(v) for k, v in sorted(value.items()))
+    elif isinstance(value, list):
+        return "".join(deep_flatten(item) for item in value)
+    else:
+        return str(value)
+
+
+# Returns the input if it's a dict, parses as Protobuf it if it's bytes or returns an empty dict otherwise
+def ensure_dict(value):
+    if isinstance(value, dict):
+        return value
+    if isinstance(value, (bytes, bytearray)):
+        try:
+            return parse_protobuf_message(value)
+        except Exception:
+            return {}
+    return {}
+
+
+# Parses the Protobuf-encoded client token request body file (as dumped for example by Proxyman) and returns a tuple:
+# (app_version, device_id, system_id, cpu_arch, os_build, platform, os_major, os_minor, client_model)
+def parse_clienttoken_request_body_file(file_path):
+
+    with open(file_path, "rb") as f:
+        data = f.read()
+
+    root = ensure_dict(parse_protobuf_message(data).get(2))
+
+    app_version = root.get(1)
+    device_id = root.get(2)
+
+    nested_3 = ensure_dict(root.get(3))
+    nested_1 = ensure_dict(nested_3.get(1))
+    nested_4 = ensure_dict(nested_1.get(4))
+
+    cpu_arch = nested_4.get(1)
+    os_build = nested_4.get(3)
+    platform = nested_4.get(4)
+    os_major = nested_4.get(5)
+    os_minor = nested_4.get(6)
+    client_model = nested_4.get(8)
+
+    system_id = nested_3.get(2)
+
+    required = {
+        "app_version": app_version,
+        "device_id": device_id,
+        "system_id": system_id,
+    }
+    missing = [k for k, v in required.items() if v is None]
+    if missing:
+        raise Exception(f"Could not extract fields: {', '.join(missing)}")
+
+    return (app_version, device_id, system_id, cpu_arch, os_build, platform, os_major, os_minor, client_model)
+
+
+# Converts Spotify user agent string to Protobuf app_version string
+# For example: 'Spotify/126200580 Win32_x86_64/0 (PC desktop)' to '1.2.62.580.g<random-hex>'
+def ua_to_app_version(user_agent: str) -> str:
+
+    m = re.search(r"Spotify/(\d{5,})", user_agent)
+    if not m:
+        raise ValueError(f"User-Agent missing build number: {user_agent!r}")
+
+    digits = m.group(1)
+    if len(digits) < 5:
+        raise ValueError(f"Build number too short: {digits}")
+
+    major = digits[0]
+    minor = digits[1]
+    patch = str(int(digits[2:4]))
+    build = str(int(digits[4:]))
+    suffix = secrets.token_hex(4)
+
+    return f"{major}.{minor}.{patch}.{build}.g{suffix}"
+
+
+# Builds the Protobuf client token request body
+def build_clienttoken_request_protobuf(app_version, device_id, system_id, cpu_arch=10, os_build=19045, platform=2, os_major=9, os_minor=9, client_model=34404):
+    """
+        1: 1 (const)
+        2: {
+          1: app_version
+          2: device_id
+          3: {
+            1: {
+              4: device_details
+            }
+            2: system_id
+          }
+        }
+    """
+
+    leaf = (
+        encode_varint((1 << 3) | 0) + encode_varint(cpu_arch) + encode_varint((3 << 3) | 0) + encode_varint(os_build) + encode_varint((4 << 3) | 0) + encode_varint(platform) + encode_varint((5 << 3) | 0) + encode_varint(os_major) + encode_varint((6 << 3) | 0) + encode_varint(os_minor) + encode_varint((8 << 3) | 0) + encode_varint(client_model))
+
+    msg_4 = encode_nested_field(4, leaf)
+    msg_1 = encode_nested_field(1, msg_4)
+    msg_3 = msg_1 + encode_string_field(2, system_id)
+
+    payload = (encode_string_field(1, app_version) + encode_string_field(2, device_id) + encode_nested_field(3, msg_3))
+
+    root = (encode_varint((1 << 3) | 0) + encode_varint(1) + encode_nested_field(2, payload))
+
+    return root
+
+
+# Fetches Spotify access token based on provided device_id, system_id, user_uri_id, refresh_token and client_token value
+def spotify_get_access_token_from_client(device_id, system_id, user_uri_id, refresh_token, client_token):
+    global SP_CACHED_ACCESS_TOKEN, SP_CACHED_REFRESH_TOKEN, SP_ACCESS_TOKEN_EXPIRES_AT
+
+    if SP_CACHED_ACCESS_TOKEN and time.time() < SP_ACCESS_TOKEN_EXPIRES_AT and check_token_validity(SP_CACHED_ACCESS_TOKEN):
+        return SP_CACHED_ACCESS_TOKEN
+
+    if not client_token:
+        raise Exception("Client token is missing")
+
+    if SP_CACHED_REFRESH_TOKEN:
+        refresh_token = SP_CACHED_REFRESH_TOKEN
+
+    protobuf_body = build_spotify_auth_protobuf(device_id, system_id, user_uri_id, refresh_token)
+
+    parsed_url = urlparse(LOGIN_URL)
+    host = parsed_url.netloc  # e.g., "login5.spotify.com"
+    origin = f"{parsed_url.scheme}://{parsed_url.netloc}"  # e.g., "https://login5.spotify.com"
+
+    headers = {
+        "Host": host,
+        "Connection": "keep-alive",
+        "Content-Type": "application/x-protobuf",
+        "User-Agent": USER_AGENT,
+        "X-Retry-Count": "0",
+        "Client-Token": client_token,
+        "Origin": origin,
+        "Accept-Language": "en-Latn-GB,en-GB;q=0.9,en;q=0.8",
+        "Sec-Fetch-Site": "same-origin",
+        "Sec-Fetch-Mode": "no-cors",
+        "Sec-Fetch-Dest": "empty",
+        "Accept-Encoding": "gzip, deflate, br, zstd"
+    }
+
+    try:
+        if platform.system() != 'Windows':
+            signal.signal(signal.SIGALRM, timeout_handler)
+            signal.alarm(FUNCTION_TIMEOUT + 2)
+        response = req.post(LOGIN_URL, headers=headers, data=protobuf_body, timeout=FUNCTION_TIMEOUT, verify=VERIFY_SSL)
+    except (req.RequestException, TimeoutException) as e:
+        raise Exception(f"spotify_get_access_token_from_client() network request timeout after {display_time(FUNCTION_TIMEOUT + 2)}: {e}")
+    finally:
+        if platform.system() != 'Windows':
+            signal.alarm(0)
+
+    if response.status_code != 200:
+        if response.headers.get("client-token-error") == "INVALID_CLIENTTOKEN":
+            raise Exception(f"Request failed with status {response.status_code}: invalid client token")
+        elif response.headers.get("client-token-error") == "EXPIRED_CLIENTTOKEN":
+            raise Exception(f"Request failed with status {response.status_code}: expired client token")
+
+        raise Exception(f"Request failed with status code {response.status_code}\nResponse Headers: {response.headers}\nResponse Content (raw): {response.content}\nResponse text: {response.text}")
+
+    parsed = parse_protobuf_message(response.content)
+    # {1: {1: user_uri_id, 2: access_token, 3: refresh_token, 4: expires_in}}
+    access_token_raw = None
+    expires_in = 3600  # default
+    if 1 in parsed and isinstance(parsed[1], dict):
+        nested = parsed[1]
+        access_token_raw = nested.get(2)
+        user_uri_id = parsed[1].get(1)
+
+        if 4 in nested:
+            raw_expires = nested.get(4)
+            if isinstance(raw_expires, (int, str, bytes)):
+                try:
+                    expires_in = int(raw_expires)
+                except ValueError:
+                    expires_in = 3600
+
+    access_token = deep_flatten(access_token_raw) if access_token_raw else None
+
+    if not access_token:
+        raise Exception("Access token not found in response")
+
+    SP_CACHED_ACCESS_TOKEN = access_token
+    SP_CACHED_REFRESH_TOKEN = parsed[1].get(3)
+    SP_ACCESS_TOKEN_EXPIRES_AT = time.time() + expires_in
+    return access_token
+
+
+# Fetches fresh client token
+def spotify_get_client_token(app_version, device_id, system_id, **device_overrides):
+    global SP_CACHED_CLIENT_TOKEN, SP_CLIENT_TOKEN_EXPIRES_AT
+
+    if SP_CACHED_CLIENT_TOKEN and time.time() < SP_CLIENT_TOKEN_EXPIRES_AT:
+        return SP_CACHED_CLIENT_TOKEN
+
+    body = build_clienttoken_request_protobuf(app_version, device_id, system_id, **device_overrides)
+
+    headers = {
+        "Host": "clienttoken.spotify.com",
+        "Connection": "keep-alive",
+        "Pragma": "no-cache",
+        "Cache-Control": "no-cache, no-store, max-age=0",
+        "Accept": "application/x-protobuf",
+        "Content-Type": "application/x-protobuf",
+        "User-Agent": USER_AGENT,
+        "Origin": "https://clienttoken.spotify.com",
+        "Accept-Language": "en-Latn-GB,en-GB;q=0.9,en;q=0.8",
+        "Sec-Fetch-Site": "same-origin",
+        "Sec-Fetch-Mode": "no-cors",
+        "Sec-Fetch-Dest": "empty",
+        "Accept-Encoding": "gzip, deflate, br, zstd",
+    }
+
+    try:
+        if platform.system() != 'Windows':
+            signal.signal(signal.SIGALRM, timeout_handler)
+            signal.alarm(FUNCTION_TIMEOUT + 2)
+        response = req.post(CLIENTTOKEN_URL, headers=headers, data=body, timeout=FUNCTION_TIMEOUT, verify=VERIFY_SSL)
+    except (req.RequestException, TimeoutException) as e:
+        raise Exception(f"spotify_get_client_token() network request timeout after {display_time(FUNCTION_TIMEOUT + 2)}: {e}")
+    finally:
+        if platform.system() != 'Windows':
+            signal.alarm(0)
+
+    if response.status_code != 200:
+        raise Exception(f"clienttoken request failed - status {response.status_code}\nHeaders: {response.headers}\nBody (raw): {response.content[:120]}...")
+
+    parsed = parse_protobuf_message(response.content)
+    inner = parsed.get(2, {})
+    client_token = deep_flatten(inner.get(1)) if inner.get(1) else None
+    ttl = int(inner.get(3, 0)) or 1209600   # ≈ 2 weeks fallback
+
+    if not client_token:
+        raise Exception("clienttoken response did not contain a token")
+
+    SP_CACHED_CLIENT_TOKEN = client_token
+    SP_CLIENT_TOKEN_EXPIRES_AT = time.time() + ttl
+
+    return client_token
+
+
+# Fetches Spotify access token with automatic client token refresh
+def spotify_get_access_token_from_client_auto(device_id, system_id, user_uri_id, refresh_token):
+    client_token = None
+
+    if all([
+        CLIENTTOKEN_URL,
+        APP_VERSION,
+        CPU_ARCH is not None and CPU_ARCH > 0,
+        OS_BUILD is not None and OS_BUILD > 0,
+        PLATFORM is not None and PLATFORM > 0,
+        OS_MAJOR is not None and OS_MAJOR > 0,
+        OS_MINOR is not None and OS_MINOR > 0,
+        CLIENT_MODEL is not None and CLIENT_MODEL > 0
+    ]):
+        client_token = spotify_get_client_token(app_version=APP_VERSION, device_id=device_id, system_id=system_id, cpu_arch=CPU_ARCH, os_build=OS_BUILD, platform=PLATFORM, os_major=OS_MAJOR, os_minor=OS_MINOR, client_model=CLIENT_MODEL)
+
+    try:
+        return spotify_get_access_token_from_client(device_id, system_id, user_uri_id, refresh_token, client_token)
+    except Exception as e:
+        err = str(e).lower()
+        if all([
+            CLIENTTOKEN_URL,
+            APP_VERSION,
+            CPU_ARCH is not None and CPU_ARCH > 0,
+            OS_BUILD is not None and OS_BUILD > 0,
+            PLATFORM is not None and PLATFORM > 0,
+            OS_MAJOR is not None and OS_MAJOR > 0,
+            OS_MINOR is not None and OS_MINOR > 0,
+            CLIENT_MODEL is not None and CLIENT_MODEL > 0
+        ]) and ("invalid client token" in err or "expired client token" in err):
+            global SP_CLIENT_TOKEN_EXPIRES_AT
+            SP_CLIENT_TOKEN_EXPIRES_AT = 0
+
+            client_token = spotify_get_client_token(app_version=APP_VERSION, device_id=DEVICE_ID, system_id=SYSTEM_ID, cpu_arch=CPU_ARCH, os_build=OS_BUILD, platform=PLATFORM, os_major=OS_MAJOR, os_minor=OS_MINOR, client_model=CLIENT_MODEL)
+
+            return spotify_get_access_token_from_client(device_id, system_id, user_uri_id, refresh_token, client_token)
+        raise
+
+
+# --------------------------------------------------------
+
+
 # Fetches list of Spotify friends
 def spotify_get_friends_json(access_token):
     url = "https://guc-spclient.spotify.com/presence-view/v1/buddylist"
-    headers = {
-        "Authorization": f"Bearer {access_token}",
-        "Client-Id": SP_CACHED_CLIENT_ID,
-        "User-Agent": SP_CACHED_USER_AGENT,
-    }
+    headers = {"Authorization": f"Bearer {access_token}"}
+
+    if TOKEN_SOURCE == "cookie":
+        headers.update({
+            "Client-Id": SP_CACHED_CLIENT_ID,
+            "User-Agent": SP_CACHED_USER_AGENT,
+        })
 
     response = SESSION.get(url, headers=headers, timeout=FUNCTION_TIMEOUT, verify=VERIFY_SSL)
     if response.status_code == 401:
@@ -1123,7 +1767,10 @@ def spotify_convert_uri_to_url(uri):
     si = "?si=1"
     # si=""
 
+    uri = uri or ''
     url = ""
+    if not isinstance(uri, str):
+        return url
     if "spotify:user:" in uri:
         s_id = uri.split(':', 2)[2]
         url = f"https://open.spotify.com/user/{s_id}{si}"
@@ -1223,11 +1870,13 @@ def spotify_get_friend_info(friend_activity, uri):
 def spotify_get_track_info(access_token, track_uri):
     track_id = track_uri.split(':', 2)[2]
     url = "https://api.spotify.com/v1/tracks/" + track_id
-    headers = {
-        "Authorization": f"Bearer {access_token}",
-        "Client-Id": SP_CACHED_CLIENT_ID,
-        "User-Agent": SP_CACHED_USER_AGENT,
-    }
+    headers = {"Authorization": f"Bearer {access_token}"}
+
+    if TOKEN_SOURCE == "cookie":
+        headers.update({
+            "Client-Id": SP_CACHED_CLIENT_ID,
+            "User-Agent": SP_CACHED_USER_AGENT,
+        })
     # add si parameter so link opens in native Spotify app after clicking
     si = "?si=1"
 
@@ -1251,11 +1900,13 @@ def spotify_get_track_info(access_token, track_uri):
 def spotify_get_playlist_info(access_token, playlist_uri):
     playlist_id = playlist_uri.split(':', 2)[2]
     url = f"https://api.spotify.com/v1/playlists/{playlist_id}?fields=name,owner,followers,external_urls"
-    headers = {
-        "Authorization": f"Bearer {access_token}",
-        "Client-Id": SP_CACHED_CLIENT_ID,
-        "User-Agent": SP_CACHED_USER_AGENT,
-    }
+    headers = {"Authorization": f"Bearer {access_token}"}
+
+    if TOKEN_SOURCE == "cookie":
+        headers.update({
+            "Client-Id": SP_CACHED_CLIENT_ID,
+            "User-Agent": SP_CACHED_USER_AGENT,
+        })
     # add si parameter so link opens in native Spotify app after clicking
     si = "?si=1"
 
@@ -1276,15 +1927,17 @@ def spotify_get_playlist_info(access_token, playlist_uri):
 # Gets basic information about access token owner
 def spotify_get_current_user(access_token) -> dict | None:
     url = "https://api.spotify.com/v1/me"
-    headers = {
-        "Authorization": f"Bearer {access_token}",
-        "Client-Id": SP_CACHED_CLIENT_ID,
-        "User-Agent": SP_CACHED_USER_AGENT,
-    }
+    headers = {"Authorization": f"Bearer {access_token}"}
+
+    if TOKEN_SOURCE == "cookie":
+        headers.update({
+            "Client-Id": SP_CACHED_CLIENT_ID,
+            "User-Agent": SP_CACHED_USER_AGENT,
+        })
 
     if platform.system() != 'Windows':
         signal.signal(signal.SIGALRM, timeout_handler)
-        signal.alarm(ALARM_TIMEOUT + 2)
+        signal.alarm(FUNCTION_TIMEOUT + 2)
     try:
         response = SESSION.get(url, headers=headers, timeout=FUNCTION_TIMEOUT, verify=VERIFY_SSL)
         response.raise_for_status()
@@ -1444,7 +2097,10 @@ def spotify_monitor_friend_uri(user_uri_id, tracks, csv_file_name):
             signal.signal(signal.SIGALRM, timeout_handler)
             signal.alarm(ALARM_TIMEOUT)
         try:
-            sp_accessToken = spotify_get_access_token(SP_DC_COOKIE)
+            if TOKEN_SOURCE == "client":
+                sp_accessToken = spotify_get_access_token_from_client_auto(DEVICE_ID, SYSTEM_ID, USER_URI_ID, REFRESH_TOKEN)
+            else:
+                sp_accessToken = spotify_get_access_token_from_sp_dc(SP_DC_COOKIE)
             sp_friends = spotify_get_friends_json(sp_accessToken)
             sp_found, sp_data = spotify_get_friend_info(sp_friends, user_uri_id)
             email_sent = False
@@ -1461,12 +2117,27 @@ def spotify_monitor_friend_uri(user_uri_id, tracks, csv_file_name):
             if platform.system() != 'Windows':
                 signal.alarm(0)
 
+            err = str(e).lower()
+
             print(f"* Error, retrying in {display_time(SPOTIFY_ERROR_INTERVAL)}: {e}")
 
-            if "401" in str(e):
+            if TOKEN_SOURCE == 'cookie' and '401' in err:
                 SP_CACHED_ACCESS_TOKEN = None
 
-            if ('access token' in str(e)) or ('Unsuccessful token request' in str(e)):
+            client_errs = ['access token', 'invalid client token', 'expired client token']
+            cookie_errs = ['access token', 'unsuccessful token request']
+
+            if TOKEN_SOURCE == 'client' and any(k in err for k in client_errs):
+                print(f"* Error: client token or refresh token might have expired!")
+                if ERROR_NOTIFICATION and not email_sent:
+                    m_subject = f"spotify_monitor: client token or refresh token might have expired! (uri: {user_uri_id})"
+                    m_body = f"Client token or refresh token might have expired!\n{e}{get_cur_ts(nl_ch + nl_ch + 'Timestamp: ')}"
+                    m_body_html = f"<html><head></head><body>Client token or refresh token might have expired!<br>{escape(str(e))}{get_cur_ts('<br><br>Timestamp: ')}</body></html>"
+                    print(f"Sending email notification to {RECEIVER_EMAIL}")
+                    send_email(m_subject, m_body, m_body_html, SMTP_SSL)
+                    email_sent = True
+
+            elif TOKEN_SOURCE == 'cookie' and any(k in err for k in cookie_errs):
                 print(f"* Error: sp_dc might have expired!")
                 if ERROR_NOTIFICATION and not email_sent:
                     m_subject = f"spotify_monitor: sp_dc might have expired! (uri: {user_uri_id})"
@@ -1475,6 +2146,7 @@ def spotify_monitor_friend_uri(user_uri_id, tracks, csv_file_name):
                     print(f"Sending email notification to {RECEIVER_EMAIL}")
                     send_email(m_subject, m_body, m_body_html, SMTP_SSL)
                     email_sent = True
+
             print_cur_ts("Timestamp:\t\t\t")
             time.sleep(SPOTIFY_ERROR_INTERVAL)
             continue
@@ -1491,7 +2163,7 @@ def spotify_monitor_friend_uri(user_uri_id, tracks, csv_file_name):
 
             user_info = spotify_get_current_user(sp_accessToken)
             if user_info:
-                print(f"Token belongs to:\t\t{user_info.get('display_name', '')}\n\t\t\t\t[ {user_info.get('spotify_url')} ]")
+                print(f"Token belongs to:\t\t{user_info.get('display_name', '')} (via {TOKEN_SOURCE})\n\t\t\t\t[ {user_info.get('spotify_url')} ]")
 
             sp_track_uri = sp_data["sp_track_uri"]
             sp_track_uri_id = sp_data["sp_track_uri_id"]
@@ -1643,7 +2315,10 @@ def spotify_monitor_friend_uri(user_uri_id, tracks, csv_file_name):
                         signal.signal(signal.SIGALRM, timeout_handler)
                         signal.alarm(ALARM_TIMEOUT)
                     try:
-                        sp_accessToken = spotify_get_access_token(SP_DC_COOKIE)
+                        if TOKEN_SOURCE == "client":
+                            sp_accessToken = spotify_get_access_token_from_client_auto(DEVICE_ID, SYSTEM_ID, USER_URI_ID, REFRESH_TOKEN)
+                        else:
+                            sp_accessToken = spotify_get_access_token_from_sp_dc(SP_DC_COOKIE)
                         sp_friends = spotify_get_friends_json(sp_accessToken)
                         sp_found, sp_data = spotify_get_friend_info(sp_friends, user_uri_id)
                         email_sent = False
@@ -1660,11 +2335,13 @@ def spotify_monitor_friend_uri(user_uri_id, tracks, csv_file_name):
                         if platform.system() != 'Windows':
                             signal.alarm(0)
 
-                        if "401" in str(e):
+                        err = str(e).lower()
+
+                        if TOKEN_SOURCE == 'cookie' and '401' in err:
                             SP_CACHED_ACCESS_TOKEN = None
 
                         str_matches = ["500 server", "504 server", "502 server", "503 server"]
-                        if any(x in str(e).lower() for x in str_matches):
+                        if any(x in err for x in str_matches):
                             if not error_500_start_ts:
                                 error_500_start_ts = int(time.time())
                                 error_500_counter = 1
@@ -1672,7 +2349,7 @@ def spotify_monitor_friend_uri(user_uri_id, tracks, csv_file_name):
                                 error_500_counter += 1
 
                         str_matches = ["timed out", "timeout", "name resolution", "failed to resolve", "family not supported", "429 client", "aborted"]
-                        if any(x in str(e).lower() for x in str_matches) or str(e) == '':
+                        if any(x in err for x in str_matches) or str(e) == '':
                             if not error_network_issue_start_ts:
                                 error_network_issue_start_ts = int(time.time())
                                 error_network_issue_counter = 1
@@ -1693,7 +2370,21 @@ def spotify_monitor_friend_uri(user_uri_id, tracks, csv_file_name):
 
                         elif not error_500_start_ts and not error_network_issue_start_ts:
                             print(f"* Error, retrying in {display_time(SPOTIFY_ERROR_INTERVAL)}: '{e}'")
-                            if ('access token' in str(e)) or ('Unsuccessful token request' in str(e)):
+
+                            client_errs = ['access token', 'invalid client token', 'expired client token']
+                            cookie_errs = ['access token', 'unsuccessful token request']
+
+                            if TOKEN_SOURCE == 'client' and any(k in err for k in client_errs):
+                                print(f"* Error: client token or refresh token might have expired!")
+                                if ERROR_NOTIFICATION and not email_sent:
+                                    m_subject = f"spotify_monitor: client token or refresh token might have expired! (uri: {user_uri_id})"
+                                    m_body = f"Client token or refresh token might have expired!\n{e}{get_cur_ts(nl_ch + nl_ch + 'Timestamp: ')}"
+                                    m_body_html = f"<html><head></head><body>Client token or refresh token might have expired!<br>{escape(str(e))}{get_cur_ts('<br><br>Timestamp: ')}</body></html>"
+                                    print(f"Sending email notification to {RECEIVER_EMAIL}")
+                                    send_email(m_subject, m_body, m_body_html, SMTP_SSL)
+                                    email_sent = True
+
+                            elif TOKEN_SOURCE == 'cookie' and any(k in err for k in cookie_errs):
                                 print(f"* Error: sp_dc might have expired!")
                                 if ERROR_NOTIFICATION and not email_sent:
                                     m_subject = f"spotify_monitor: sp_dc might have expired! (uri: {user_uri_id})"
@@ -1702,6 +2393,7 @@ def spotify_monitor_friend_uri(user_uri_id, tracks, csv_file_name):
                                     print(f"Sending email notification to {RECEIVER_EMAIL}")
                                     send_email(m_subject, m_body, m_body_html, SMTP_SSL)
                                     email_sent = True
+
                             print_cur_ts("Timestamp:\t\t\t")
                         time.sleep(SPOTIFY_ERROR_INTERVAL)
 
@@ -2033,7 +2725,7 @@ def spotify_monitor_friend_uri(user_uri_id, tracks, csv_file_name):
 
 
 def main():
-    global CLI_CONFIG_PATH, DOTENV_FILE, LIVENESS_CHECK_COUNTER, SP_DC_COOKIE, CSV_FILE, MONITOR_LIST_FILE, FILE_SUFFIX, DISABLE_LOGGING, SP_LOGFILE, ACTIVE_NOTIFICATION, INACTIVE_NOTIFICATION, TRACK_NOTIFICATION, SONG_NOTIFICATION, SONG_ON_LOOP_NOTIFICATION, ERROR_NOTIFICATION, SPOTIFY_CHECK_INTERVAL, SPOTIFY_INACTIVITY_CHECK, SPOTIFY_ERROR_INTERVAL, SPOTIFY_DISAPPEARED_CHECK_INTERVAL, TRACK_SONGS, SMTP_PASSWORD, stdout_bck
+    global CLI_CONFIG_PATH, DOTENV_FILE, LIVENESS_CHECK_COUNTER, LOGIN_REQUEST_BODY_FILE, CLIENTTOKEN_REQUEST_BODY_FILE, REFRESH_TOKEN, LOGIN_URL, USER_AGENT, DEVICE_ID, SYSTEM_ID, USER_URI_ID, SP_DC_COOKIE, CSV_FILE, MONITOR_LIST_FILE, FILE_SUFFIX, DISABLE_LOGGING, SP_LOGFILE, ACTIVE_NOTIFICATION, INACTIVE_NOTIFICATION, TRACK_NOTIFICATION, SONG_NOTIFICATION, SONG_ON_LOOP_NOTIFICATION, ERROR_NOTIFICATION, SPOTIFY_CHECK_INTERVAL, SPOTIFY_INACTIVITY_CHECK, SPOTIFY_ERROR_INTERVAL, SPOTIFY_DISAPPEARED_CHECK_INTERVAL, TRACK_SONGS, SMTP_PASSWORD, stdout_bck, APP_VERSION, CPU_ARCH, OS_BUILD, PLATFORM, OS_MAJOR, OS_MINOR, CLIENT_MODEL, TOKEN_SOURCE, ALARM_TIMEOUT, pyotp
 
     if "--generate-config" in sys.argv:
         print(CONFIG_BLOCK.strip("\n"))
@@ -2062,7 +2754,8 @@ def main():
         "user_id",
         nargs="?",
         metavar="SPOTIFY_USER_URI_ID",
-        help="Spotify user URI ID"
+        help="Spotify user URI ID",
+        type=str
     )
 
     # Version, just to list in help, it is handled earlier
@@ -2092,15 +2785,40 @@ def main():
         help="Path to optional dotenv file (auto-search if not set, disable with 'none')",
     )
 
-    # API credentials
-    creds = parser.add_argument_group("API credentials")
-    creds.add_argument(
+    # Token source
+    parser.add_argument(
+        "--token-source",
+        dest="token_source",
+        choices=["cookie", "client"],
+        help="Method to obtain Spotify access token: 'cookie' (via sp_dc cookie) or 'client' (via desktop client login protobuf)"
+    )
+
+    # Cookie token source credentials (used when token source is set to cookie)
+    api_creds = parser.add_argument_group("Cookie token source credentials")
+    api_creds.add_argument(
         "-u", "--spotify-dc-cookie",
         dest="spotify_dc_cookie",
         metavar="SP_DC_COOKIE",
+        type=str,
         help="Spotify sp_dc cookie"
     )
 
+    # Client token source credentials (used when token source is set to client)
+    client_creds = parser.add_argument_group("Client token source credentials")
+    client_creds.add_argument(
+        "-w", "--login-request-body-file",
+        dest="login_request_body_file",
+        metavar="PROTOBUF_FILENAME",
+        help="Read device_id, system_id, user_uri_id and refresh_token from binary Protobuf login file"
+    )
+
+    client_creds.add_argument(
+        "-z", "--clienttoken-request-body-file",
+        dest="clienttoken_request_body_file",
+        metavar="PROTOBUF_FILENAME",
+        help="Read app_version, cpu_arch, os_build, platform, os_major, os_minor and client_model from binary Protobuf client token file"
+    )
+
     # Notifications
     notify = parser.add_argument_group("Notifications")
     notify.add_argument(
@@ -2143,7 +2861,7 @@ def main():
         dest="notify_errors",
         action="store_false",
         default=None,
-        help="Disable email on errors (e.g. expired sp_dc)"
+        help="Disable emails on errors"
     )
     notify.add_argument(
         "--send-test-email",
@@ -2226,7 +2944,7 @@ def main():
         dest="disable_logging",
         action="store_true",
         default=None,
-        help="Disable logging to file spotify_monitor_<user_uri_id/file_suffix>.log"
+        help="Disable logging to spotify_monitor_<user_uri_id/file_suffix>.log"
     )
 
     args = parser.parse_args()
@@ -2285,6 +3003,19 @@ def main():
             if val is not None:
                 globals()[secret] = val
 
+    if args.token_source:
+        TOKEN_SOURCE = args.token_source
+
+    if not TOKEN_SOURCE:
+        TOKEN_SOURCE = "cookie"
+
+    if TOKEN_SOURCE == "cookie":
+        ALARM_TIMEOUT = int((TOKEN_MAX_RETRIES * TOKEN_RETRY_TIMEOUT) + 5)
+        try:
+            import pyotp
+        except ModuleNotFoundError:
+            raise SystemExit("Error: Couldn't find the pyotp library !\n\nTo install it, run:\n    pip3 install pyotp\n\nOnce installed, re-run this tool")
+
     if not check_internet():
         sys.exit(1)
 
@@ -2306,21 +3037,112 @@ def main():
     if args.disappeared_timer:
         SPOTIFY_DISAPPEARED_CHECK_INTERVAL = args.disappeared_timer
 
-    if args.spotify_dc_cookie:
-        SP_DC_COOKIE = args.spotify_dc_cookie
+    if TOKEN_SOURCE == "client":
+        login_request_body_file_param = False
+        if args.login_request_body_file:
+            LOGIN_REQUEST_BODY_FILE = os.path.expanduser(args.login_request_body_file)
+            login_request_body_file_param = True
+        else:
+            if LOGIN_REQUEST_BODY_FILE:
+                LOGIN_REQUEST_BODY_FILE = os.path.expanduser(LOGIN_REQUEST_BODY_FILE)
 
-    if not SP_DC_COOKIE or SP_DC_COOKIE == "your_sp_dc_cookie_value":
-        print("* Error: SP_DC_COOKIE (-u / --spotify-dc-cookie) value is empty or incorrect")
-        sys.exit(1)
+        if LOGIN_REQUEST_BODY_FILE:
+            if os.path.isfile(LOGIN_REQUEST_BODY_FILE):
+                try:
+                    DEVICE_ID, SYSTEM_ID, USER_URI_ID, REFRESH_TOKEN = parse_request_body_file(LOGIN_REQUEST_BODY_FILE)
+                except Exception as e:
+                    print(f"* Error: Protobuf file ({LOGIN_REQUEST_BODY_FILE}) cannot be processed: {e}")
+                    sys.exit(1)
+                else:
+                    if not args.user_id and not args.list_friends and not args.show_user_info and login_request_body_file_param:
+                        print(f"* Login data correctly read from Protobuf file ({LOGIN_REQUEST_BODY_FILE}):")
+                        print(" - Device ID:\t\t", DEVICE_ID)
+                        print(" - System ID:\t\t", SYSTEM_ID)
+                        print(" - User URI ID:\t\t", USER_URI_ID)
+                        print(" - Refresh Token:\t", REFRESH_TOKEN, "\n")
+                        sys.exit(0)
+            else:
+                print(f"* Error: Protobuf file ({LOGIN_REQUEST_BODY_FILE}) does not exist")
+                sys.exit(1)
+
+        if not USER_AGENT:
+            USER_AGENT = get_random_spotify_user_agent()
+
+        if any([
+            not LOGIN_URL,
+            not USER_AGENT,
+            not DEVICE_ID,
+            DEVICE_ID == "your_spotify_app_device_id",
+            not SYSTEM_ID,
+            SYSTEM_ID == "your_spotify_app_system_id",
+            not USER_URI_ID,
+            USER_URI_ID == "your_spotify_user_uri_id",
+            not REFRESH_TOKEN,
+            REFRESH_TOKEN == "your_spotify_app_refresh_token",
+        ]):
+            print("* Error: Some login values are empty or incorrect")
+            sys.exit(1)
+
+        clienttoken_request_body_file_param = False
+        if args.clienttoken_request_body_file:
+            CLIENTTOKEN_REQUEST_BODY_FILE = os.path.expanduser(args.clienttoken_request_body_file)
+            clienttoken_request_body_file_param = True
+        else:
+            if CLIENTTOKEN_REQUEST_BODY_FILE:
+                CLIENTTOKEN_REQUEST_BODY_FILE = os.path.expanduser(CLIENTTOKEN_REQUEST_BODY_FILE)
+
+        if CLIENTTOKEN_REQUEST_BODY_FILE:
+            if os.path.isfile(CLIENTTOKEN_REQUEST_BODY_FILE):
+                try:
+
+                    (APP_VERSION, _, _, CPU_ARCH, OS_BUILD, PLATFORM, OS_MAJOR, OS_MINOR, CLIENT_MODEL) = parse_clienttoken_request_body_file(CLIENTTOKEN_REQUEST_BODY_FILE)
+                except Exception as e:
+                    print(f"* Error: Protobuf file ({CLIENTTOKEN_REQUEST_BODY_FILE}) cannot be processed: {e}")
+                    sys.exit(1)
+                else:
+                    if not args.user_id and not args.list_friends and not args.show_user_info and clienttoken_request_body_file_param:
+                        print(f"* Client token data correctly read from Protobuf file ({CLIENTTOKEN_REQUEST_BODY_FILE}):")
+                        print(" - App version:\t\t", APP_VERSION)
+                        print(" - CPU arch:\t\t", CPU_ARCH)
+                        print(" - OS build:\t\t", OS_BUILD)
+                        print(" - Platform:\t\t", PLATFORM)
+                        print(" - OS major:\t\t", OS_MAJOR)
+                        print(" - OS minor:\t\t", OS_MINOR)
+                        print(" - Client model:\t", CLIENT_MODEL)
+                        sys.exit(0)
+            else:
+                print(f"* Error: Protobuf file ({CLIENTTOKEN_REQUEST_BODY_FILE}) does not exist")
+                sys.exit(1)
+
+        app_version_default = "1.2.62.580.g7e3d9a4f"
+        if USER_AGENT and not APP_VERSION:
+            try:
+                APP_VERSION = ua_to_app_version(USER_AGENT)
+            except Exception as e:
+                print(f"Warning: wrong USER_AGENT defined, reverting to the default one: {e}")
+                APP_VERSION = app_version_default
+        else:
+            APP_VERSION = app_version_default
+
+    else:
+        if args.spotify_dc_cookie:
+            SP_DC_COOKIE = args.spotify_dc_cookie
+
+        if not SP_DC_COOKIE or SP_DC_COOKIE == "your_sp_dc_cookie_value":
+            print("* Error: SP_DC_COOKIE (-u / --spotify_dc_cookie) value is empty or incorrect")
+            sys.exit(1)
 
     if args.show_user_info:
         print("* Getting basic information about access token owner ...\n")
         try:
-            accessToken = spotify_get_access_token(SP_DC_COOKIE)
-            user_info = spotify_get_current_user(accessToken)
+            if TOKEN_SOURCE == "client":
+                sp_accessToken = spotify_get_access_token_from_client_auto(DEVICE_ID, SYSTEM_ID, USER_URI_ID, REFRESH_TOKEN)
+            else:
+                sp_accessToken = spotify_get_access_token_from_sp_dc(SP_DC_COOKIE)
+            user_info = spotify_get_current_user(sp_accessToken)
 
             if user_info:
-                print(f"Token belongs to:\n")
+                print(f"Token fetched via {TOKEN_SOURCE} belongs to:\n")
 
                 print(f"Username:\t\t{user_info.get('display_name', '')}")
                 print(f"User URI ID:\t\t{user_info.get('uri', '').split('spotify:user:', 1)[1]}")
@@ -2340,11 +3162,14 @@ def main():
     if args.list_friends:
         print("* Listing Spotify friends ...\n")
         try:
-            accessToken = spotify_get_access_token(SP_DC_COOKIE)
-            user_info = spotify_get_current_user(accessToken)
+            if TOKEN_SOURCE == "client":
+                sp_accessToken = spotify_get_access_token_from_client_auto(DEVICE_ID, SYSTEM_ID, USER_URI_ID, REFRESH_TOKEN)
+            else:
+                sp_accessToken = spotify_get_access_token_from_sp_dc(SP_DC_COOKIE)
+            user_info = spotify_get_current_user(sp_accessToken)
             if user_info:
-                print(f"Token belongs to:\t\t{user_info.get('display_name', '')}\n\t\t\t\t[ {user_info.get('spotify_url')} ]")
-            sp_friends = spotify_get_friends_json(accessToken)
+                print(f"Token belongs to:\t\t{user_info.get('display_name', '')} (via {TOKEN_SOURCE})\n\t\t\t\t[ {user_info.get('spotify_url')} ]")
+            sp_friends = spotify_get_friends_json(sp_accessToken)
             spotify_list_friends(sp_friends)
             print("─" * HORIZONTAL_LINE)
         except Exception as e:
@@ -2450,6 +3275,7 @@ def main():
 
     print(f"* Spotify polling intervals:\t[check: {display_time(SPOTIFY_CHECK_INTERVAL)}] [inactivity: {display_time(SPOTIFY_INACTIVITY_CHECK)}]\n\t\t\t\t[disappeared: {display_time(SPOTIFY_DISAPPEARED_CHECK_INTERVAL)}] [error: {display_time(SPOTIFY_ERROR_INTERVAL)}]")
     print(f"* Email notifications:\t\t[active = {ACTIVE_NOTIFICATION}] [inactive = {INACTIVE_NOTIFICATION}] [tracked = {TRACK_NOTIFICATION}]\n*\t\t\t\t[songs on loop = {SONG_ON_LOOP_NOTIFICATION}] [every song = {SONG_NOTIFICATION}] [errors = {ERROR_NOTIFICATION}]")
+    print(f"* Token source:\t\t\t{TOKEN_SOURCE}")
     print(f"* Track listened songs:\t\t{TRACK_SONGS}")
     print(f"* Liveness check:\t\t{bool(LIVENESS_CHECK_INTERVAL)}" + (f" ({display_time(LIVENESS_CHECK_INTERVAL)})" if LIVENESS_CHECK_INTERVAL else ""))
     print(f"* CSV logging enabled:\t\t{bool(CSV_FILE)}" + (f" ({CSV_FILE})" if CSV_FILE else ""))