SpotAPI rate-limits unlock attempts by IP — but it trusts the X-Forwarded-For header you control. Rotate it on every request to brute force the 4-digit artist code.
