Access token types

The eBay token service "mints," or generates, access tokens via two different grant flows:

  • Client credentials grant flow mints a new Application access token.
  • Authorization code grant flow mints a new User access token.

The grant flow you use depends upon the "scopes" of the eBay methods used by your application.

About access tokens and scopes

Each REST method is declared with a scope (or set of scopes) that acts as a security key for the method. This key is required for you to gain to access to the method and you present the key by embedding the appropriate scope in an access token. With this, if you have an access token that contains the scope required by a method, you can use that access token to make a request to the method.

When you create an access token, you supply a list of scopes that covers all the scopes needed by all the methods used in your application. In this way, each access token contains the authorization needed to call each method.

eBay supports two different "grant flows" for creating access tokens and each grant flow mints a different type of access token. The grant flow you use depends on the scopes required by methods called by your application.

Grant flows

You can create access tokens using one of the two following grant flows, where each flow uses a different process to generate the token:

  • Client credentials grant
  • Authorization code grant

The access tokens generated by these two grant flows provide different levels of authorization and access. The grant flow you use depends on needs of your application.

A client credentials grant generates an Application access token and an authorization code grant generates a User access token.

In general, you can use the client credentials grant flow if your application accesses only non-confidential resources. If your application needs to access and modify confidential resources, you must use the authorization code grant flow to create your access tokens.

Application access tokens vs. User access tokens

Access Token Types

Description

Application access token

Application tokens are general-use tokens that give access to interfaces that return non-confidential data. For example, many GET requests require only an Application token for authorization.

User access token

You must employ a User token to call any interface that accesses or modifies confidential data (such as user information and account data).

To get a User token, the users of your app must grant your application the permissions it needs to act upon their behalf. This process is called user consent. With the user consent flow, each User token contains the set of scopes for which the user has granted their permission.

Check the scope requirements of each eBay interface you plan to call in your application and from there deduce which grant flow you need to use to create your access tokens.

You can use Application access tokens only if all the methods used in your application support scopes that allow authorization via App tokens. For example, here is a partial list of scopes that allow access with Application access tokens:

  • https://api.ebay.com/oauth/api_scope
  • https://api.ebay.com/oauth/api_scope/buy.guest.order
  • https://api.ebay.com/oauth/api_scope/buy.item.feed
  • https://api.ebay.com/oauth/api_scope/buy.marketing

If your application uses a method that does not include a scope that supports Application access tokens, then you must use the authorization code grant flow to generate the access tokens used by your application.

For more on how eBay implements OAuth, see eBay OAuth details.

Getting access tokens

The following topics describe how to generate the different types of access tokens using the two different grant flows: