Getting Your Keys
For an application to be able to operate in the Sandbox or the Production environment, it needs to have the appropriate IDs for that environment. These IDs are referred to as development keys (because they unlock the door into the particular development environment). Development keys consist of a set of data that identifies the application and its developer. You use these keys to generate an authentication token for a user.
In order to obtain your development keys and start developing your application, you must join the eBay Developers Program. The first step is to register with eBay as a developer. For the simple registration procedure, see Register and Get Your Keys.
Once you join the eBay Developers Program, you can create keysets for your application. The keyset for the Sandbox is different from the keyset for the Production environment. (Keys for the Sandbox cannot be used to make API calls in the Production environment. Conversely, Production keys cannot be used to make API calls in the Sandbox.)
Your keyset consists of three IDs:
Table: Development Keys
Unique identifier for the developer's (or company's) account.
Unique identifier for the application.
Certificate that authenticates the application when making API calls. Not to be confused with user-level authentication tokens. For more information, see Security.
The keys are created by and maintained at eBay. You cannot choose your own keys. To view and retrieve your keys at any time, you can sign in with your developer username and password at https://developer.ebay.com/DevZone/account. The Application Keys page appears:
The Application Keys page with Sandbox Keyset 1
You initially have no Sandbox or Production keys. You can click the Create a keyset link to generate them for each environment. This documentation applies to both the SandBox and Production keysets, unless a particular keyset is specified.
Note: As shown on this page, you can Request another keyset, but this request will be for an additional keyset, not a replacement keyset. Most developers need only one keyset for each environment. Please see Requesting Additional Keysets in the Knowledge Base for alternatives to creating multiple keysets. If you meet the criteria for additional keysets, you can file an eBay Developers Program support ticket to request the keysets you need. Each additional keyset will contain a new App ID/Cert ID pair for the same Dev ID.
You can view and track an application's API usage. Click the API Reports link to open the Reports tab, then select a date range for the API Call Use Report and click the Show Reports button to view the report.
Rotating the Cert ID
Your Cert ID is like a password for your keyset. If you think your keyset has been compromised, you can change your Cert ID at any time by clicking Rotate (Reset) Cert ID and following the form instructions. Creating a new Cert ID does not affect existing user tokens that have already been created for your application.
Once you generate a new Cert ID, your old Cert ID expires at the end of the grace period that you specify. The grace period can be a value between 0 (expires immediately) and 4000 days (use this if your company's security standard is to always have two Cert IDs available, so that you can switch between them as needed without logging into this portal). A typical grace period is between 30 and 90 days. During the grace period, both Cert IDs are valid, so that you can deploy and roll back your application changes, and revoke older tokens as needed.
The old Cert ID is displayed alongside the new one during the grace period:
The SandBox keys after rotating the Cert ID
Note: You cannot use the new Cert ID to revoke user tokens that you created with the old ID. If you plan to revoke older tokens, please do so before the old Cert ID expires.
Testing the Quick Start Sample Application
Once you have your Production keyset, you can use your Production App ID to run the Quick Start Sample Application, which uses your App ID and the Finding API to produce a sample result from real production data in both XML and parsed HTML.
- While signed in to your Developers Program account, confirm that you have a Production keyset on the Application Keys page.
- From the Tools and Samples menu, choose Try a sample app.
The Quick Start Sample Application page appears.
- In the Sample Application Source Code section, select the Automatic Key radio button.
Your production App ID is automatically inserted in the box below.
- Click the Run Sample button.
The call results are presented in the other two sections. One contains the raw call response in XML, the other is an example of how the response data can be used in an HTML page.
Securing and Using Your Keys
For an example of where to use these keys in an application, check out the eBay Developers Program API Tutorials at the Developer Help Center.
When you execute an API call, your request needs to pass these basic security checks:
- Authenticate your application by specifying appropriate development keys with your API request.
Just as you would store and protect passwords, you should also exercise the same caution in storing and using your development keys. For example, if the strings are hard-coded in a compiled application, it is possible for an unscrupulous person to see the IDs by inspecting the executable file with a tool such as a hexadecimal file viewer. We highly recommend some form of encryption of the IDs in compiled applications to deter this type of unauthorized access.
- Authenticate the user by specifying a secret authentication token in each API request.
The token is equivalent to the user signing in on the eBay website. It also indicates that the user has authorized your application to interact with eBay on their behalf.
When you initially ask eBay to generate an authentication token for a user, you must provide your development keys and the user must sign in to eBay and give their consent to authorize your application to perform certain actions on their behalf. The token value is generated based on the user's sign-in credentials and your application's credentials.
From then on, your application passes both the token and the matching development keys in each API request.
Once you have your development keys, see Getting Tokens for information about generating and retrieving authentication tokens for each user.
Copyright © 2005–2018 eBay Inc. All rights reserved. This documentation and the API may only be used in accordance with the eBay Developers Program and API License Agreement.