I'm trying to write an R package that can be run in a headless environment like Github Actions. Using httr you can authenticate with the Spotify API in an interactive session with the below code (stolen from spotifyr)

get_spotify_authorization_code <- function(
  client_id = Sys.getenv("SPOTIFY_CLIENT_ID"),
  client_secret = Sys.getenv("SPOTIFY_CLIENT_SECRET"),
  scope = get_scopes()
) {
  
  endpoint <- oauth_endpoint(authorize = 'https://accounts.spotify.com/authorize',
                             access = 'https://accounts.spotify.com/api/token')
  
  app <- oauth_app('spotty', client_id, client_secret)
  
  token <- safely(.f=oauth2.0_token)(
    endpoint = endpoint,
    app = app,
    scope = scope)
  
  if (!is.null(token$error)) {
    token$error
  } else {
    token$result
  }
}

When you first run this it pops open a browser window to authenticate. This only needs to be done once, and then uses refresh tokens from then on.

Is there a way I can adapt this so it doesn't use web-application-flow and uses some other type of Auth that can be run headless. I know there is the 'client credentials flow', but it doesn't allow access to user resources and I'd like to be able to access things like saved playlists (i.e., the me endpoint, 'https://api.spotify.com/v1/me/tracks/')

logically speaking if you want the client-side to keep up with the server and do this once you will need to create a function/method which will keep track of the outhkey and send a message to the server saying in human tongue this is a trusted device do not log it out, do not ask for key again in other words, use a back-end key sync approach to keep the key updated, much like 2FA applications, regarding the playlists and stuff, it's a DB Query that can be represented as such (I will use MySQL)

SELECT (Playlists, music, liked-songs...) from SongsTable where UserId-client_id