Getting Your Keys
For an application to be able to operate in the Sandbox or the Production environment, it needs to have the appropriate IDs for that environment. These IDs are referred to as application keys (because they unlock the door into the particular application environment). Application keys consist of a set of data that identifies the application and its developer. You use these keys to generate an authentication token for a user. For additional information, see Understand application keysets.
In order to obtain your application keys and start developing your application, you must join the eBay Developers Program. The first step is to register with eBay as a developer. For the simple registration procedure, see Join the eBay Developers Program.
Once you join the eBay Developers Program, you can Create the eBay API keysets for your application. The keyset for the Sandbox is different from the keyset for the Production environment. (Keys for the Sandbox cannot be used to make API calls in the Production environment. Conversely, Production keys cannot be used to make API calls in the Sandbox.)
You can view and track an application's API usage. Click the API Reports link to open the Reports tab, then select a date range for the API Call Use Report and click the Show Reports button to view the report.
Rotating the Cert ID
Your application cert ID is like a password for your keyset. If you think your keyset has been compromised, you can change your cert ID at any time. For additional information, see Resetting your cert ID.
Securing and Using Your Keys
When you execute an API call, your request needs to pass these basic security checks:
- Authenticate your application by specifying appropriate development keys with your API request.
Just as you would store and protect passwords, you should also exercise the same caution in storing and using your development keys. For example, if the strings are hard-coded in a compiled application, it is possible for an unscrupulous person to see the IDs by inspecting the executable file with a tool such as a hexadecimal file viewer. We highly recommend some form of encryption of the IDs in compiled applications to deter this type of unauthorized access.
- Authenticate the user by specifying a secret authentication token in each API request.
The token is equivalent to the user signing in on the eBay website. It also indicates that the user has authorized your application to interact with eBay on their behalf.
When you initially ask eBay to generate an authentication token for a user, you must provide your development keys and the user must sign in to eBay and give their consent to authorize your application to perform certain actions on their behalf. The token value is generated based on the user's sign-in credentials and your application's credentials.
From then on, your application passes both the token and the matching development keys in each API request.
Once you have your application keys, see Getting Tokens for information about generating and retrieving authentication tokens for each user.