Find the answer to your question
Advanced Search
This is a quick guide to illustrate the steps to get you started with OAuth for getting an User access token
Getting the values needed for requesting user token
Retrieve your app's OAuth Credentials from Application Keys page and OAuth enabled RuName values of your App from User tokens page:
client_id - App ID (Client ID)
clientSecret - Cert ID (Client Secret)
redirectUri - OAuth Enabled RuName for the clientId
redirectUrl - Auth Accepted URL associated with the redirectUri
A list of OAuth Scope required for access to the REST interfaces you plan to call.
OAuth Token Flow
Step 1. Get the user permission and obtain authorize code for your clientId
https://auth.sandbox.ebay.com/oauth2/authorize? client_id=<app-client-id-value>& locale=<locale-value>& // optional prompt=login // optional redirect_uri=<app-RuName-value>& response_type=code& scope=<scopeList>& // a URL-encoded string of space-separated scopes state=<custom-state-value>& // optional
NOTE. 1. multiple OAuth scopes must be separated in the string with spaces and then URL-encode the list of the scopes 2. Pass prompt parameter and set to login in order to force an user to login in when you redirect them to grant application access page, even if they already have an existing user session
Below is an example redirectUrl after the user grants permission:
https://signin.ebay.com/ws/eBayISAPI.dll?ThirdPartyAuthSucessFailure&isAuthSuccessful=true&state=null&code=v%5E1......EyODQ%3D
<URL-decoded-auth-code>: URL decode the returned code value (http://meyerweb.com/eric/tools/dencoder/):
An example URL-decoded-auth-code: v^1.1#i^1#r^1#p^3#I^3#f^0#t^Ul4xXzE0QzJGQ0I2RDA2NENDMUY4MDkwRjQ3NDE3MzdENzU2XzJfMSNFXjEyODQ=
Step 2. Exchange the authorization code for a user token and refresh_token
<B64-encoded-oauth-credentials>: Base64 encode the following: <your_client_id>:<your_client_secret> (https://www.base64encode.org/)
The following example call requests access token for the sandbox
POST /identity/v1/oauth2/token HTTP/1.1 Host: api.sandbox.ebay.com Authorization: Basic <B64-encoded-oauth-credentials> Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=<URL-decoded-auth-code>&redirect_uri=<your_redirect_uri>
A successful response to the request containing access_token, expires_in,refresh_token and refresh_token_expires_in values:
{
"access_token": "v^1.1#i^1#r^0#I^3#p^3#...AAAOVXe2xTVRhf121kjo0YUGDxUS5v5LbnPnrbe0Mr3YO0uE",
"token_type": "User Access Token",
"expires_in": 7200,
"refresh_token": "v^1.1#i^1#p^3#f^0#I^3#r^1#t^Ul4yX0Y0OUY1RjRENTU2NDZENTBFQ0E4ODg3MzE2Q0RFQj
M2XzdfMSNFXjI2MA==",
"refresh_token_expires_in": 47304000
}
Step 3. When the access token expires, use the refresh_token obtained in the step 2 to generate a new access token.
HTTP headers: Content-Type = application/x-www-form-urlencoded Authorization = Basic <B64-encoded-oauth-credentials> Request body: grant_type=refresh_token&refresh_token=<refresh_token value obtained in the step 2>
POST /identity/v1/oauth2/token HTTP/1.1 Host: api.sandbox.ebay.com Authorization: Basic <B64-encoded-oauth-credentials> Content-Type: application/x-www-form-urlencoded grant_type=refresh_token &refresh_token=v^1.1#i^1#p^3#f^0#I^3#r^1#t^Ul4yX0Y0OUY1RjRENTU2NDZENTBFQ0E4ODg3MzE2Q0RFQj M2XzdfMSNFXjI2MA==eBay mints a fresh access token in response similar to the following:
{
"access_token": "v^1.1#i ... AjRV4yNjA=",
"token_type":"User Access Token",
"expires_in": 7200,
"refresh_token": "N/A"
}You can download the attachment below for the Postman sample project for the OAuth token API calls.
Additional Info
API Documentation: The authorization code grant flow