This doc page has moved! You should be automatically redirected to the new location. If you are not redirected automatically, follow this link to the new page.

You are here: Using eBay RESTful APIs > OAuth access tokens > Quick reference for User tokens

Quick reference for User tokens

This Quick Ref assumes you're familiar with the concepts covered in Getting a User token.

Getting an authorization code

Gather the following values, then format the redirect call to get a user's permissions:

  • The Client ID value of your application
  • The OAuth scope(s) required for access to the REST interfaces you plan to call
  • The RuName value that eBay assigns to your application
  • A state value

When you issue the redirect, the user is redirected to your application's Grant Application Access page, a custom page for your app that is compiled and hosted by eBay.

Redirect URL to get a user's Authorization code
  /* URL redirects a user to the apps Grant Application Access page (wrapped for readability)

  https://signin.sandbox.ebay.com/authorize?
    client_id=<your-client-id-value>&
    redirect_uri=<your-RuName-value>&
    response_type=code&
    state=<client-supplied-state-value>&
    scope=https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope%2Fsell.account%20
      https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope%2Fsell.inventory

Set the query parameters as follows:

Redirect URL to obtain a user's authorization

Query Parameter

Description

client_id

This is the OAuth client_id value. This is one of the OAuth values that you get from your eBay account manager (the other value is the client_secret).

redirect_uri

This value is used to authenticate your application. Enter the RuName value for either the Sandbox or Production environment, depending on the environment you intend to target.

response_type

This value must be set to code to have eBay generate and return an authorization code.

scope

This is a list of OAuth scopes. Each REST operation has one or more scopes; refer to the API Reference to find the scope(s) required for each call. If you need to use multiple scopes, separate the scopes in the string with URL-encoded spaces. The example request above uses two scopes.

state

An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client, and the same value supplied in the call is returned in the response.

While this value is optional, we recommend you supply a state value to prevent cross-site request forgery, as described in Section 10.12 of the OAuth spec.

Getting a User token

Use the following values to request a User token:

  • The Base64-encoded OAuth credentials
  • The authorization code value containing the user's permissions grant and scopes
  • The RuName value that eBay assigns to your application
Request to get a User token
  HTTP method:   POST
  URL (Sandbox): https://api.sandbox.ebay.com/identity/v1/oauth2/token

  HTTP headers:
    Content-Type = application/x-www-form-urlencoded
    Authorization = Basic <B64-encoded-oauth-credentials>

  Request body (wrapped for readability):
    grant_type=authorization_code&
    code=<authorization-code-value>&
    redirect_uri=<RuName-value>
Response with a User token
  {
    "access_token": "v^1.1#i^1#p^3#r^1...XzMjRV4xMjg0",
    "token_type": "User token",
    "expires_in": 7200,
    "refresh_token": "v^1.1#i^1#p^3#r^1...zYjRV4xMjg0",
    "refresh_token_expires_in": 47304000
  } 

The Base64-encoded credentials

The Authorization header value is a combination of your application's OAuth credentials, the client ID and client secret values. Combine the two values, separating them with a colon, and Base64 encode the combined values.

In other words, Base64 encode the following: <client_id>:<client_secret>

Use the resulting value in the Authorization header by preceding the Base-64 encoded value with the word Basic and a space. For example:

Basic <B64_encoded_oauth_credentials>

Using a refresh token to get a new User token

Use the following values to refresh an expired User token:

  • The Base64-encoded OAuth credentials
  • The user's refresh token value
  • The OAuth scope(s) required for access to the REST interfaces you plan to call
Call to refresh a User token using a refresh token
  HTTP method:   POST
  URL (Sandbox): https://api.sandbox.ebay.com/identity/v1/oauth2/token

  HTTP headers:
    Content-Type = application/x-www-form-urlencoded
    Authorization = Basic <B64-encoded-oauth-credentials>

   Request body (wrapped for readability):
      grant_type=refresh_token&
      refresh_token=<your-refresh-token-value>&
      scope=https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope%2Fsell.account%20
      https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope%2Fsell.inventory

Tip: The scopes that you use in this refresh-token call must match the scopes that were used in the redirect call that started the process to produce the original refresh token. Remember, the redirect returns an authorization code that you use to generate the refresh token.