The authorization flows can take a while to understand well but the code will make more and more sense after obtaining access to a couple of other APIs in a similar way (you will likely do similar ones in other tutorials/lessons). I would also read the section about Implicit Grant Flow in Spotify API docs:
For Jammming, keep in mind that there are 2 functions (search and savePlaylist) that access the Spotify API. They need to have an access token to connect and get info from Spotify. Therefore, in the beginning of these 2 functions they call the Spotify.getAccessToken function to get the token. This function first checks if we already have an valid token in the accessToken variable. If not, the function proceeds to getting the token (covered in Step 80).
If the access token and expiration time are in the URL, implement the following steps:
Set the access token value
Saves the access-token from the URL into the accessToken variable (declared on the top level of Spotify component). Having this stored in the accessToken variable means that next time we do a search or save a play-list, if we have a valid token, the function will not need to try to get a new one.
Set a variable for expiration time
Takes the expiration time (which Spotify provides in the URL) and store it in a variable so we can use it later to erase the accessToken variable at the correct time.
Set the access token to expire at the value for expiration time
Use the setTimeout JS-function to run code after a delay in milliseconds. Sets accessToken to an empty string at expiresIn * 1000 (we multiply by 1000 to convert from seconds to milliseconds).
Clear the parameters from the URL, so the app doesn’t try grabbing the access token after it has expired
Once the function has the token and expiration-time, it is no longer needed in the URL and will be old information. window.history.pushState is used to erase these paramteres from the URL.