10-04-2023 08:52 AM
Beginning around 1 PM EDT, I started receiving "the provided authorization refresh token is invalid or was issued to another client" when requesting an access token. I generated a new refresh token but continue to receive the same error message.
Did something change at the turn of the month regarding API authentication?
10-04-2023 09:28 AM
Perhaps the original 18 month User authorization token has come to an end and it is time to go through the authentication process to grant a new user token.
10-04-2023 11:05 AM
Thank you for your reply.
When I said I'd acquired a new refresh token, I may have misspoken. This is what I've gotten
I've been using this API for six years. I think that when this token has previously expired, the error message indicated it was expired, not that it was invalid.
10-04-2023 12:46 PM
Does your application use an OAuth token or Auth-n-auth token?
10-04-2023 01:14 PM
I've never really known which method I've been using.
I send a POST request to /identity/v1/oauth2/token. In the headers, I include
Authorization: Basic [Base64 ClientID and ClientSecret]
The POST data is
grant_type=refresh_token&refresh_token=[The token from the image I posted earlier]
The response would include an access_token value which I'd then include in the headers of my GET calls like
Authorization: Bearer [Acess token]
So my first POST request is to an endpoint that includes "oauth2" in the URL but the refresh_token value I've always sent is acquired with "Auth'n'Auth" selected under the Get a User Token Here as in the screenshot above. If I select "OAuth (new security)", I get a much longer token that has never been of any use to me.
10-04-2023 01:54 PM
Which API are you accessing?
If you are using a RESTful API, then OAuth is required.
The OAuth token requires a refresh token, while the Auth-n-Auth does not.
If using a traditional API, like the Trading API, then either OAuth or Auth-n-Auth can be used.
https://developer.ebay.com/api-docs/static/authorization_guide_landing.html
10-05-2023 07:03 AM
I'm using sell/fulfillment/v1/order which, if I'm not mistaken is a REST endpoint.
As I said before, I don't know which authentication method I'm using. I think it's OAuth but for six years, I've been getting a token by selecting Auth'n'Auth under Get a User Token Here. Have I been doing it wrong this whole time and on Sunday, a loophole I've been exploiting got plugged?