I tried following SoundCloud's advice and linked a private soundcloud player (simple HTML iframe) with a simple .htaccess authentication script. No problem there.
Apparently though, a couple people that have been sent the link are having no joy. I've reviewed the script and tried replicating the problem, but am missing something. Here's the relevant areas of code. The iframe is a part of a very basic table:
"<iframe width="500" height="500" scrolling="no" frameborder="no" src="https://w.soundcloud.com/player/?url=http%3A%2F%2Fapi.soundcloud.com%2Fplaylists%123456789%3Fsecret_token%3Ds-GggGG&color=F9DAE8&auto_play=true&show_artwork=false" ></iframe>"
Your embed code is not correct. The iframe's src in your example is the following (formatted for readability):
https://w.soundcloud.com/player/
?url=http%3A%2F%2Fapi.soundcloud.com%2Fplaylists%123456789 <- missing `%2F`
%3Fsecret_token%3Ds-GggGG <- url-encoded delimiters `?` and `=`
&color=F9DAE8
&auto_play=true
&show_artwork=false
A couple of problems:
playlist and its ID (123456789 in your example), there should be %2F, which is url-encoded / character.?, = and &) shouldn't be url-encoded (only values of parameters should be)& as delimiter after the first URL paramater and not ?, so the secret token should be delimited with & So, in the end it should be (without the line breaks of course):
https://w.soundcloud.com/player/
?url=http%3A%2F%2Fapi.soundcloud.com%2Fplaylists%2F123456789
&secret_token=s-GggGG
&color=F9DAE8
&auto_play=true
&show_artwork=false