A lightweight Cloudflare Worker that proxies Last.fm API requests for the Kaset macOS app. The app sends unsigned requests; the Worker adds api_key and computes api_sig (MD5) before forwarding to Last.fm.
The Last.fm API requires a shared secret for signing requests. Embedding secrets in the app binary is a security risk. This Worker keeps the API key and shared secret server-side — the app only needs to know the Worker URL.
cd worker
npm installGet your API key and shared secret from last.fm/api/account, then:
npx wrangler secret put LASTFM_API_KEY
npx wrangler secret put LASTFM_SHARED_SECRETnpm run dev
# Worker runs at http://localhost:8787npm run deploy| Endpoint | Method | Description |
|---|---|---|
/health |
GET | Health check |
/auth/token |
GET | Get a Last.fm auth token |
/auth/url?token=X |
GET | Get the Last.fm authorization URL |
/auth/session?token=X |
GET | Exchange token for session key |
/auth/validate?sk=X |
GET | Validate an existing session key |
/nowplaying |
POST | Update "now playing" status |
/scrobble |
POST | Submit scrobbles (up to 50 per batch) |
{
"sk": "session-key",
"artist": "The Weeknd",
"track": "Blinding Lights",
"album": "After Hours",
"duration": 200
}{
"sk": "session-key",
"scrobbles": [
{
"artist": "The Weeknd",
"track": "Blinding Lights",
"timestamp": 1708560000,
"album": "After Hours",
"duration": 200
}
]
}- App calls
GET /auth/token→ receives a token - App calls
GET /auth/url?token=X→ gets the Last.fm auth URL - User authorizes in browser
- App polls
GET /auth/session?token=X→ receives permanent session key