This topic describes getting an OAuth access token using the authorization code grant flow. The access token retrieved from this flow is called a User access token. For details on token types and more, see Access token types.
The authorization code grant flow is a two-step process that combines a permissions grant request with an authorization code grant request.
If your eBay app acts on the behalf of a third-party user, your app must obtain the user's permission before it can make requests that access and update that third-party's confidential resources. A User access token carries a third-party's authorization to access specific resources, and this type of token is obtained through the authorization code grant flow.
Getting and refreshing User access tokens
User access tokens are short-lived and must be refreshed if they are expired.
The steps below cover the process of getting a User access token and refreshing it when it expires. Refer to the figure for a high-level overview of the process flow. The steps outline the high-level process and the links in each step provide the details on how to complete the step:
Get the third-party permissions.
For details, see Getting third-party permissions.
Exchange the third-party permissions for an access token.
For details, see Exchanging the authorization code for a User access token.
Refresh the access token after it expires.
For details, see Using a refresh token to update a User access token.
Tip: Once you're familiar with the authorization code grant flow, skip to the Quick reference - authorization code grant for the skinny details.
Obtaining the consent from a third-party user is a necessary step because it gives your application the ability to make eBay calls and access sensitive eBay data on the behalf of the user. This, in turn, allows 3rd-party users to access all the details of their eBay accounts, including buying and selling eBay items, through the applications you build.
The authorization code grant logic
The following flow diagram outlines the logic for getting User access tokens via the authorization code grant flow. The authorization code grant request returns both a User access token and a refresh token:
Flow for generating a User token
The logic for refreshing an expired User access token
After the User access token expires, update it using the refresh token:
Flow for refreshing a User access token