The authorization code grant flow

This topic describes getting an OAuth access token using the authorization code grant flow. The access token retrieved from this flow is called a User access token. For details on token types and more, see Access token types.

The authorization code grant flow is a two-step process that combines a consent request with an authorization code grant request.

If your eBay app acts on the behalf of a third-party user, your app must obtain the user's consent before it can make requests that access and update that third-party's confidential resources. A User access token carries a third-party's authorization to access specific resources, and this type of token is obtained through the authorization code grant flow.

Getting and refreshing User access tokens

User access tokens are short-lived and must be refreshed if they are expired.

The steps below cover the process of getting a User access token and refreshing it when it expires. Refer to the figure for a high-level overview of the process flow. The steps outline the high-level process and the links in each step provide the details on how to complete the step:

  1. Get the third-party's consent.

    For details, see Getting the third-party's consent.

  2. Exchange the third-party consent for an access token.

    For details, see Exchanging the authorization code for a User access token.

  3. Refresh the access token after it expires.

    For details, see Using a refresh token to update a User access token.

Tip: Once you're familiar with the authorization code grant flow, skip to the Quick reference - authorization code grant for the skinny details.

Process overview

Obtaining the consent from a third-party user is a necessary step because it gives your application the ability to make eBay calls and access sensitive eBay data on the behalf of the user. This, in turn, allows 3rd-party users to access all the details of their eBay accounts, including buying and selling eBay items, through the applications you build.

The authorization code grant logic

The following flow diagram outlines the logic for getting User access tokens via the authorization code grant flow. The authorization code grant request returns both a User access token and a refresh token:

Flow for generating a User token.
Flow for generating a User token

The logic for refreshing an expired User access token

After the User access token expires, update it using the refresh token:

Flow for refreshing a User token.
Flow for refreshing a User access token