Using eBay OAuth
eBay uses OAuth 2.0, the industry standard for secure online transactions, for its Merchant Feeds API and Merchant Account API.
Note: OAuth is supported for selected partners only. eBay requires application details to enable OAuth support.
This document describes how to retrieve access tokens and use them to make eBay API calls.
Credentials Needed for Retrieving Access Tokens
To retrieve an access token, you will use traditional eBay Auth & Auth credentials and parameters, which map to standard OAuth credentials and parameters:
|eBay Auth & Auth
||Client ID (client_id)
||Client Secret (client_secret)
||Redirect URI (redirect_uri)
Your Auth & Auth credentials can be retrieved from your account page on developer.ebay.com.
To retrieve your credentials:
- Login and register your application on developer.ebay.com.
- Upon registering your application, you can retrieve the required credential information from the My Account page:
The AppID and CertID are part of your standard credentials, available for either the sandbox or production environment, on the Application Settings tab on the My Account page.
- From the Applications Settings tab, click on Customize the eBay User Consent Form link to retrieve or update the RUNAME for your application.
Retrieving an Access Token
The following steps outline the OAuth process for the Web Profile. In this process, an eBay user authorizes your application to make API calls on their behalf and eBay provides a one-time use code that you then exchange for an access token.
To retrieve an access token:
- From your application, redirect eBay users to a URL of the following form (line breaks added to help with readability), using your application's AppID and RUNAME:
The response_type parameter is set to "code" to retrieve the authorization code.
- The user is taken to a sign-in page asking him to link his eBay account to your application (Cool App in this example) to grant access to your application to make API calls on his behalf.
- When the user signs in with his user ID and password, he is shown a consent page asking permission to authorize eBay to share his data with your application.
- When the user agrees to the terms and conditions in the preceding step, he is redirected to the accept URL for your application with a code.
This code is used for retrieving an access token only. The code is good for one use only and has a short life span, so should be used immediately.
- Make the following call to exchange the code for an access token.
Be sure to URL encode the code value.
- eBay returns HTML content containing the access token and the number of seconds until the token expires.
"token_type":"User Access Token",
This access token can be used to make API calls in the production environment. Repeat these steps to retrieve a new token before the current token expires.
Note: To retrieve an access token for use in the Sandbox, use the following URL:
Be sure to use application credentials for the sandbox environment when retrieving an access token for use with the sandbox. The user must sign in with a sandbox user ID and password, as well.
The access token is passed in the Authorization HTTP header sent with the API request. The format of the Authorization header is:
Authorization: Bearer <access_token>
Note: The Authorization header value must include the text "Bearer" followed by the access token (separated from Bearer by a space).
Copyright © 2014copy; 2015
eBay, Inc. All rights reserved. This documentation and the API may only be used in accordance with the eBay Developers Program and API License Agreement.