eBay

stewart-macdonald · ‎10-04-2023

Beginning around 1 PM EDT, I started receiving "the provided authorization refresh token is invalid or was issued to another client" when requesting an access token. I generated a new refresh token but continue to receive the same error message.

Did something change at the turn of the month regarding API authentication?

shipscript · ‎10-04-2023

Perhaps the original 18 month User authorization token has come to an end and it is time to go through the authentication process to grant a new user token.

ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.

stewart-macdonald · ‎10-04-2023

Thank you for your reply.

When I said I'd acquired a new refresh token, I may have misspoken. This is what I've gotten

I've been using this API for six years. I think that when this token has previously expired, the error message indicated it was expired, not that it was invalid.

shipscript · ‎10-04-2023

Does your application use an OAuth token or Auth-n-auth token?

ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.

stewart-macdonald · ‎10-04-2023

I've never really known which method I've been using.

I send a POST request to /identity/v1/oauth2/token. In the headers, I include

Authorization: Basic [Base64 ClientID and ClientSecret]

The POST data is

grant_type=refresh_token&refresh_token=[The token from the image I posted earlier]

The response would include an access_token value which I'd then include in the headers of my GET calls like

Authorization: Bearer [Acess token]

So my first POST request is to an endpoint that includes "oauth2" in the URL but the refresh_token value I've always sent is acquired with "Auth'n'Auth" selected under the Get a User Token Here as in the screenshot above. If I select "OAuth (new security)", I get a much longer token that has never been of any use to me.

shipscript · ‎10-04-2023

Which API are you accessing?

If you are using a RESTful API, then OAuth is required.

The OAuth token requires a refresh token, while the Auth-n-Auth does not.

If using a traditional API, like the Trading API, then either OAuth or Auth-n-Auth can be used.

https://developer.ebay.com/api-docs/static/authorization_guide_landing.html

ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.

stewart-macdonald · ‎10-05-2023

I'm using sell/fulfillment/v1/order which, if I'm not mistaken is a REST endpoint.

As I said before, I don't know which authentication method I'm using. I think it's OAuth but for six years, I've been getting a token by selecting Auth'n'Auth under Get a User Token Here. Have I been doing it wrong this whole time and on Sunday, a loophole I've been exploiting got plugged?