cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

API authentication broke October 1. Did something change?

Beginning around 1 PM EDT, I started receiving "the provided authorization refresh token is invalid or was issued to another client" when requesting an access token. I generated a new refresh token but continue to receive the same error message.

Did something change at the turn of the month regarding API authentication?

Message 1 of 7
latest reply
6 REPLIES 6

API authentication broke October 1. Did something change?

Perhaps the original 18 month User authorization token has come to an end and it is time to go through the authentication process to grant a new user token.

ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.
Message 2 of 7
latest reply

API authentication broke October 1. Did something change?

Thank you for your reply.

When I said I'd acquired a new refresh token, I may have misspoken. This is what I've gotten

stewartmacdonald_0-1696442605912.png

I've been using this API for six years. I think that when this token has previously expired, the error message indicated it was expired, not that it was invalid.

Message 3 of 7
latest reply

API authentication broke October 1. Did something change?

Does your application use an OAuth token or Auth-n-auth token?

 

 

ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.
Message 4 of 7
latest reply

API authentication broke October 1. Did something change?

I've never really known which method I've been using.

I send a POST request to /identity/v1/oauth2/token. In the headers, I include

Authorization: Basic [Base64 ClientID and ClientSecret]

 The POST data is

grant_type=refresh_token&refresh_token=[The token from the image I posted earlier]

The response would include an access_token value which I'd then include in the headers of my GET calls like

Authorization: Bearer [Acess token]


So my first POST request is to an endpoint that includes "oauth2" in the URL but the refresh_token value I've always sent is acquired with "Auth'n'Auth" selected under the Get a User Token Here as in the screenshot above. If I select "OAuth (new security)", I get a much longer token that has never been of any use to me.

Message 5 of 7
latest reply

API authentication broke October 1. Did something change?

Which API are you accessing?

If you are using a RESTful API, then OAuth is required.

The OAuth token requires a refresh token, while the Auth-n-Auth does not.

If using a traditional API, like the Trading API, then either OAuth or Auth-n-Auth can be used.

https://developer.ebay.com/api-docs/static/authorization_guide_landing.html 

 

 

ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.
Message 6 of 7
latest reply

API authentication broke October 1. Did something change?

I'm using sell/fulfillment/v1/order which, if I'm not mistaken is a REST endpoint.

 

As I said before, I don't know which authentication method I'm using. I think it's OAuth but for six years, I've been getting a token by selecting Auth'n'Auth under Get a User Token Here. Have I been doing it wrong this whole time and on Sunday, a loophole I've been exploiting got plugged?

Message 7 of 7
latest reply