Getting Your Keys
For an application to be able to operate in the Production or the Sandbox environment, it needs to have the appropriate IDs for that environment. These IDs are referred to as development keys (because they unlock the door into the particular development environment). Development keys consist of a set of data that identifies the application and its developer. You use these keys when you generate an authentication token for a user.
When you join the eBay Developers Program, you are provided with key sets for your application. The key set for the Sandbox is different from the key set for the Production environment. (Keys for the Sandbox cannot be used to make API calls in the Production environment. Conversely, Production keys cannot be used to make API calls in the Sandbox.)
Please see Getting a Compatible Application Check.
Your keys consist of three IDs:
Table: Development Keys
Unique identifier for the developer's (or company's) account.
Unique identifier for the application.
Certificate that authenticates the application when making API calls. Not to be confused with user-level authentication tokens. See Security.
The keys are created by and maintained at eBay. You cannot choose your own keys. To retrieve your keys at any time, you can use the following location:
Account Information (requires signin)
You can view and track an application's API usage with the API Usage Report. (Note that multiple AppID/CertID pairs can be issued for a single DevID.)
Your API Usage Report (requires signin)
For an example of where to use these keys in an application, see the eBay Developers Program API Tutorials.
When you execute an API call, your request needs to pass these basic security checks:
- Authenticate your application by specifying appropriate development keys with your APIrequest.
Just as you would store and protect passwords, you should also exercise the same caution in storing and using your development keys. For example, if the strings are hard-coded in a compiled application, it is possible for an unscrupulous person to see the IDs by inspecting the executable file with a tool such as a hexadecimal file viewer. We highly recommend some form of encryption of the IDs in compiled applications to deter this type of unauthorized access.
- Authenticate the user by specifying a secret authentication token in each API request.
The token is equivalent to the user signing in on the eBay Web site. It also indicates that the user has authorized your application to interact with eBay on their behalf.
When you initially ask eBay to generate an authentication token for a user, you must provide your development keys and the user must sign in to eBay and give their consent to authorize your application to perform certain actions on their behalf. The token value is generated based on the user's sign-in credentials and your application's credentials.
From then on, your application passes both the token and the matching development keys in each API request.
Once you have your development keys, see Getting Tokens for information about generating and retrieving authentication tokens for each user.
Copyright © 2005–2016 eBay Inc. All rights reserved. This documentation and the API may only be used in accordance with the eBay Developers Program and API License Agreement.