Skip to main content
Published: August 24 2020, 12:35:00 PMUpdated: December 01 2022, 3:37:52 PM

This is a quick guide to illustrate the steps to get you started with OAuth for getting an User access token 


Getting the values needed for requesting user token 


  Retrieve your app's OAuth Credentials from Application Keys page and OAuth enabled RuName values of your App from User tokens page:

      client_id         - App ID (Client ID)

      clientSecret    - Cert ID (Client Secret)

      redirectUri      - OAuth Enabled RuName for the clientId

      redirectUrl      - Auth Accepted URL associated with the redirectUri

      A list of OAuth Scope required for access to the REST interfaces you plan to call.



OAuth Token Flow


Step 1. Get the user permission and obtain authorize code for your clientId
locale=<locale-value>&          // optional
prompt=login                    // optional
scope=<scopeList>&              // a URL-encoded string of space-separated scopes
state=<custom-state-value>&     // optional

NOTE. 1. multiple OAuth scopes must be separated in the string with spaces and then URL-encode the list of the scopes 2.  Pass prompt parameter and set to login in order to force an user to login in when you redirect them to grant application access page, even if they already have an existing user session 


      Below is an example redirectUrl after the user grants permission:

      <URL-decoded-auth-code>: URL decode the returned code value (
                An example URL-decoded-auth-codev^1.1#i^1#r^1#p^3#I^3#f^0#t^Ul4xXzE0QzJGQ0I2RDA2NENDMUY4MDkwRjQ3NDE3MzdENzU2XzJfMSNFXjEyODQ=


Step 2. Exchange the authorization code for a user token and refresh_token

     <B64-encoded-oauth-credentials>: Base64 encode the following: <your_client_id>:<your_client_secret(

      The following example call requests access token for the sandbox

POST /identity/v1/oauth2/token HTTP/1.1
Authorization: Basic <B64-encoded-oauth-credentials>
Content-Type: application/x-www-form-urlencoded


      A successful response to the request containing access_token, expires_in,refresh_token and refresh_token_expires_in values:

 "access_token": "v^1.1#i^1#r^0#I^3#p^3#...AAAOVXe2xTVRhf121kjo0YUGDxUS5v5LbnPnrbe0Mr3YO0uE",
 "token_type": "User Access Token",
 "expires_in": 7200,
 "refresh_token": "v^1.1#i^1#p^3#f^0#I^3#r^1#t^Ul4yX0Y0OUY1RjRENTU2NDZENTBFQ0E4ODg3MzE2Q0RFQj
    "refresh_token_expires_in": 47304000



Step 3. When the access token expires, use the refresh_token obtained in the step 2 to generate a new access token.    

HTTP headers:
   Content-Type = application/x-www-form-urlencoded
   Authorization = Basic <B64-encoded-oauth-credentials>
 Request body:
   grant_type=refresh_token&refresh_token=<refresh_token value obtained in the step 2>&scope=<URL-encoded-scope-name(s)>

NOTE.URL-encoded-scope-name(s) must match the ones appended to the signin url in the Step 1.
POST /identity/v1/oauth2/token HTTP/1.1
Authorization: Basic <B64-encoded-oauth-credentials>
Content-Type: application/x-www-form-urlencoded

     eBay mints a fresh access token in response similar to the following:
    "access_token": "v^1.1#i ... AjRV4yNjA=",
    "token_type":"User Access Token",
    "expires_in": 7200,
    "refresh_token": "N/A"

You can download the attachment below for the Postman sample project for the OAuth token API calls.

Additional Info    

API Documentation: The authorization code grant flow



How well did this answer your question?
Answers others found helpful