Skip to main content
Published: June 14 2016, 12:31:00 PMUpdated: November 28 2020, 11:25:32 PM

How do I get my authorization token using OAuth?

Once you get you APPID white-listed for OAUTH, Please follow the below steps to generate/renew your OAuth token


Gathering the details required for OAUTH
To get the Client secret, and redirect_uri, please call the clientregistry service. Use the below link:

Sandbox:

http://www.clientreg.sandbox.stratus.ebay.com/oauthclnt/core/v1/detail/<YOUR_APP_ID_HERE>

Production:

http://www.clientregistry.stratus.ebay.com/oauthclnt/core/v1/detail/<APPID>

Once you get the response, make a note of the
clientId
clientSecret
redirectUri

Although the Call returns a lot more; like the scopes, you can always refer to it later

There are 2 flow to the OAuth flow.
Member to Member flow
Guest flow

MEMBER TO MEMBER FLOW


Step 1: Getting the user permissions

This is the redirect URL that you will be sending to the users to grant permission to your application:

Sandbox URL
https://signin.sandbox.ebay.com/authorize?
client_id=<client_id>&
redirect_uri=<your_redirect_uri>&
response_type=code&scope=https%3A%2F%2Fapi.ebay.com%2Foauth%2Fscope%2F%40public%20https%3A%2F%2Fapi.ebay.com%2Foauth%2Fscope%2Fbuy%40user

<client_id> = clientId obtained from calling the  clientregistry service
<your_redirect_uri> = redirectUri obtained from calling the  clientregistry service
 
Eg:
https://signin.sandbox.ebay.com/authorize?client_id=eBay28ff6-4df1-4571-99ab-a749dff769e&redirect_uri=eBay-eBay28ff6-4df1--mhvuniyf&response_type=code&scope=https%3A%2F%2Fapi.ebay.com%2Foauth%2Fscope%2F%40public%20https%3A%2F%2Fapi.ebay.com%2Foauth%2Fscope%2Fbuy%40user
 
Production URL: https://signin.ebay.com/authorize

Once the user grants permission, please copy the URL returned in the browser. It contains the authorization code identified as 'code' in the browser.

Eg:
https://signin.ebay.com/ws/eBayISAPI.dll?ThirdPartyAuthSucessFailure&isAuthSuccessful=true&state=null&code=v%5E1.1%23i%5E1%23f%5E0%23I%5E3%23p%5E3%23r%5E1%23t%5EUl4zXzdGQkIyRUU1QzQ2MDQ5OTEyMDhBQzlCQ0MwOUE0MUM1XzAjRV4yNjA%3D

Copy the value of 'code' and URL decode it using the tool: http://meyerweb.com/eric/tools/dencoder/ .The authorization code returned after decoding will look something like this:
  v^1.1#i^1#f^0#I^3#p^3#r^1#t^Ul4zXzdGQkIyRUU1QzQ2MDQ5OTEyMDhBQzlCQ0MwOUE0MUM1XzAjRV4yNjA=



Step2: Exchanging the authorization code for an access token
Use the authorization code in a POST request to obtain the associated User access token

Here are the details of making the call

REQUEST

HTTP headers
  Content-Type = application/x-www-form-urlencoded
  Authorization = Basic <B64-encoded-oauth-credentials>
 
  <B64-encoded-oauth-credentials> = 64 bit encode the value of <client_id>:<clientSecret>
  <client_id> = clientId obtained from calling the  clientregistry service
  <clientSecret> = clientSecret obtained from calling the  clientregistry service
  Base 64 bit encoding can be done using the tool: https://www.base64encode.org/
 
Eg: Authorization header value before 64 bit encoding: eBay28ff6-4df1-4571-99ab-a749dff849e:5c7104a5-8b48-4f97-8e93-c30dd685bc6a
After Base 64 encoding : ZUJheTI4ZmY2LTRkZjEtNDU3MS05OWFiLWE3NDlkZmY3NjllOjVjNzEwNGE1LThiNDgtNGY5Ny04ZT

HTTP method: POST

Sandbox URL: https://api.sandbox.ebay.com/identity/v1/oauth2/token

Request body (wrapped for readability) or you can specify these as x-www-form-urlencoded parameters in the form of name and values:
  grant_type=authorization_code&code=<authorization_code>&redirect_uri=<your_redirect_uri>
 
  <authorization_code> = The code returned in the response of the Step 1
  <your_redirect_uri> = redirectUri obtained from calling the  clientregistry service  
 
 Eg:
 grant_type=authorization_code&code=v^1.1#i^1#I^3#f^0#p^3#r^1#t^Ul4xX0Q3RUQ5M0RGNTE3ODQ1NTBBMDNEOERFREQ5RTA2RkIzXzAjRV4xMjg0&redirect_uri=eBay-eBay28ff6-4df1--mhvuniyf

Production URL: https://api.ebay.com/identity/v1/oauth2/token

RESPONSE
This is the response after executing the above request  
  {
    "access_token": "v^1.1#i^1#I^3#p^3#f^0#r^1#t^Ul4zX0UwRDlGQzI0QkY3RDE0NzBBNUY3UuU2OEQ5MTdGQjE4XzAjRV4yNjA=",
    "token_type": "User Access Token",
    "expires_in": 7055,
    "refresh_token": "v^1.1#i^1#p^3#r^1#I^3#f^0#t^Ul40XzFCMEYxQURBRDY5OURERTI2NEIzRkFDQTI1QzUzMUQwXzYjRV4yNjA=",
    "refresh_token_expires_in": 47304000
}
 You can use the access token to make calls


NOTE: The access token is valid 2 hours ( 7200 secs) but the value returned in the 'expires_in' will not always be 7200 secs.

The reason being, the moment the authorization_code is generated, the access code is already available. The time lapse between actually making the API Call to exchange the authorization_code with the access code is counted towards the time. Hence the value which is not always 7200.



Step 3: Updating your access token using a refresh token
Use a refresh token to generate a new access token.
 
Here are the details of making the call
 
REQUEST

HTTP headers
  Content-Type = application/x-www-form-urlencoded
  Authorization = Basic <B64-encoded-oauth-credentials>
  (the value of the Authorization is explained in detail in Step 2)

HTTP method: POST

Sandbbox URL: https://api.sandbox.ebay.com/identity/v1/oauth2/token

Request body (wrapped for readability) or you can specify these as x-www-form-urlencoded parameters in the form of name and values::
  grant_type=refresh_token&refresh_token=<refresh-token-value>&scope=https://api.ebay.com/oauth/scope/@public https://api.ebay.com/oauth/scope/buy@user (the same scope that you would have specified in the permission grant URL for the user
 
 <refresh-token-value> = refresh_token value obtained in the response of the Step2

Eg:  
  grant_type=refresh_token&refresh_token=v^1.1#i^1#p^3#r^1#I^3#f^0#t^Ul40XzFCMEYxQURBRDY5OURERTI2NEIzRkFDQTI1QzUzMUQwXzYjRV4yNjA=&scope=https://api.ebay.com/oauth/scope/@public https://api.ebay.com/oauth/scope/buy@user
 
Production URL: https://api.ebay.com/identity/identity/v1/oauth2/token

RESPONSE
This is the response after executing the above request  
  {
    "access_token": "v^1.1#i^1#f^0#r^1#p^3#I^3#t^Ul4zXzFBODY4RTI1NjMwQjI2NTFBODZDQUJDM0EzQzI4QjQ4XzAjRV4yNjA=",
    "token_type": "User Access Token",
    "expires_in": 7200,
    "refresh_token": "N/A"
}
You can use the access token to make calls.




GUEST FLOW

Step1: Sending a request for an access token

REQUEST

HTTP headers:
  Content-Type = application/x-www-form-urlencoded
  Authorization = Basic <B64-encoded-oauth-credentials>
 
  <B64-encoded-oauth-credentials> = 64 bit encode the value of <client_id>:<clientSecret>
  <client_id> = clientId obtained from calling the  clientregistry service
  <clientSecret> = clientSecret obtained from calling the  clientregistry service
  Base 64 bit encoding can be done using the tool: https://www.base64encode.org/
 
  Eg: Authorization header value before 64 bit encoding: eBay28ff6-4df1-4571-99ab-a749dff849e:5c7104a5-8b48-4f97-8e93-c30dd685bc6a
  After Base 64 encoding : ZUJheTI4ZmY2LTRkZjEtNDU3MS05OWFiLWE3NDlkZmY3NjllOjVjNzEwNGE1LThiNDgtNGY5Ny04ZT

HTTP method: POST

Sandbox URL: https://api.sandbox.ebay.com/identity/v1/oauth2/token

Request body (wrapped for readability) or you can specify these as x-www-form-urlencoded parameters in the form of name and values:
  grant_type=client_credentials&
  scope=https://api.ebay.com/oauth/scope/@public



Production URL: https://api.ebay.com/identity/v1/oauth2/token

{
    "access_token": "v^1.1#i^1#I^3#f^0#p^1#r^1#t^Ul4xX0NCMDc5QzhFOTQzNDlDMDc2NjM1N0M1MDg3QUU5MkE5XzEjRV4xMjg0",
    "token_type": "Application Access Token",
    "expires_in": 7200,
    "refresh_token": "N/A"
}

You can use the access token to make calls.


Docs ref:http://edpweb-2.stratus.qa.ebay.com/drafts/buying-making-a-call/oauth-tokens.html

How well did this answer your question?
Answers others found helpful