ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.
This is a response to eBay’s claims that the new “Application Access” authorization is to repair the avatars and feedback that have been missing from the eBay community, originally posted here: https://community.ebay.com/t5/Share-Community-Platform/Intermittent-issues-on-Community-platform-mis...
The information mentioned is freely available to anyone. You do not need any form of application authorization to retrieve this information.
As evidence to back up this claim, I will have to give an explanation of exactly what these “Grant Application Access” messages are, how the eBay API works, and what information is freely available.
What is the eBay API?
The eBay API is basically a system that will allow software to communicate with eBay and exchange information/data. Much of eBay’s website uses the API to retrieve the information that it displays on the “My eBay” and “Sellers Hub” pages.
What information is available through the API?
In basic terms, there’s basically two classes of information that are available on eBay. For this explanation I’ll be calling them Public and Private.
For example, when you’re browsing eBay and looking at other users' listings, the information you’re seeing is “public”. This means anyone can see the information. You could see the item they posted, the photos, the pricing, etc.
In another example, if you go to revise your own listings, you’ll see all the “public” information that was shown, but since you’re logged in to your own account, you also have access to seeing additional information such as rate tables, handling time, promotion values, etc. This is the “private” information. Typically, you could only see “Private” information on your own account.
Some functions of eBay are private as well. If you try to create a new listing, that is considered a “private” function. Nobody else could create new listings for your store. Only you could.
What are these “Grant Application Access” pages?
Let’s say for example that I’ve created a piece of software to assist with creating listings, and checking recent orders to see if any of the listings that were created sold. We’ll say in this example that the name of this software was “ExListing Manager”
By default, “ExListing Manager” could use the eBay API to check information that is public.
Now you’ve learned about “ExListing Manager” and you’d like to try it. Once you’re registering for the software, it’ll direct you to a webpage that states:
“Grant Application Access: ExListing Manager”
If you agree to this request, it basically generates a token (let’s say like a password) that will allow “ExListing Manager” to access your private eBay data.
Prior to agreeing, if “ExListing Manager” attempted to create a listing on your store, it wouldn’t be allowed. But after you had agreed, it can send the request to create a listing to the eBay API, and it can now use the token, and eBay would allow the software to create the listing on your behalf.
“ExListing Manager” also is supposed to track if the listings it creates are sold. So it will also be using API to check your sold listings. It could check for notifications from the API with your token to confirm if an order is processing, and then typically once an order is paid, that would trigger the software to basically say “The item sold! Let’s increase the sold number by 1”.
How are we being lied to?
EBay had claimed that this new authorization for the eBay community was to restore the avatar images and feedback modules that had not been working for a couple months now. For those of us who have experience with the eBay API and know what the Application Access grants, we know this is a lie.
The store avatar images and feedback? Those are both pieces of PUBLIC information. You do not need any private access to retrieve these images. Just like how you could go to another sellers store page and see their images and feedback on the eBay website directly, software could do this with the eBay API without any special access.
To prove this, I’ve tested it myself. I browsed to the eBay homepage and one of the daily deals it’s giving me is for this listing: https://www.ebay.com/itm/202694169021
If I use the eBay API call “GetStore”, with this sellers name: “harmanaudio”, I do not have any “Application Access” for them. I will only be retrieving public information. The full information is quite long, but this is an excerpt from the results that I receive from the eBay API:
{
"$": {
"xmlns": "urn:ebay:apis:eBLBaseComponents"
},
"Timestamp": "2021-11-19T18:23:12.611Z",
"Ack": "Success",
"Version": "1177",
"Build": "E1177_CORE_API5_19110890_R1",
"Store": {
"Name": "Harman Audio",
"URLPath": "harmanaudio",
"URL": "http://www.ebay.com/str/harmanaudio",
"SubscriptionLevel": "CustomCode",
"Description": "Welcome to the official eBay store for the Harman family of brands: JBL, Harman Kardon, AKG, and Infinity. Shop premium wireless speakers, headphones, home speakers, car speakers, and more!",
"Logo": {
"URL": "http://i.ebayimg.com/00/s/MTE0WDIwMA==/z/FqcAAOSwdBRZg6by/$_1.JPG?set_11.JPG?set_id=807"
},
Sure enough, you could see in the “Logo” > “URL” section, there’s the avatar image. Again, I want to stress this is all public information freely available to the eBay API without any Application Access.
Then I could use the GetFeedback API call on the same store and here is another excerpt:
{
"$": {
"xmlns": "urn:ebay:apis:eBLBaseComponents"
},
"Timestamp": "2021-11-19T18:26:23.179Z",
"Ack": "Success",
"Version": "1201",
"Build": "E1201_CORE_APIFEEDBACK_19196963_R1",
"FeedbackScore": "197512",
As you could see, this information is all public, freely accessible information that does not require any form of Application Access.
And then for the URL links to others listings? You could literally do that with a URL and a simple store name:
https://www.ebay.com/sch/zamo-zuan/m.html?_nkw=&_armrs=1&_ipg=&_from=
Just change zamo-zuan to the username. You do NOT need the eBay API at all for this one!
The data already exists in the Community Forum servers
One more alarming thing is that we're being told this access is what's restoring the images. But if you take a look at existing posts in the dev console, you can see that the avatar images already exist on the Khoros/Lithium servers!
For the record, I retrieve that on another PC that was NOT logged in and NOT authorized! As you could see in the screenshot, the image already exists on the lithium server. No access to eBay is needed, and certainly not API access.
If the images already exist on the Lithium server, if we're not seeing them, then Khoros/Lithium itself is blocking us from seeing information on their own servers.
Yet we're being told that we need to approve access in order to see this information...?
So this brings me back to my original question…
Why is eBay lying to us about Application Access? What information is really being retrieved from our stores?
The only reason for Application Access would be to access any private information. What private information could the eBay Community possibly need?
Furthermore, they’re not even following their own terms, as they are supposed to be transparent about the reasons they’re requesting access in the Application Access request itself. It even states if you click for more information that “Additional capabilities as described to you in the application or by the application’s provider” - and the eBay community does NOT describe what additional capabilities are being accessed. And as mentioned, the reason we’re being given does not require this type of access.
To make things even worse, it says “Just go to my eBay if you change your mind”. I tried to go there to monitor our 3rd party authorizations, and the preferences page isn’t even loading to allow us to see what applications are accessing our accounts, or remove their access!
So what’s really going on here, eBay?
What private information is being accessed by the Community software?
Why is the request not even informing us of what is being accessed?
Why is the wool being pulled over community members' eyes?
Why are members being told reasons that could easily be debunked?
@zamo-zuan wrote:To make things even worse, it says “Just go to my eBay if you change your mind”. I tried to go there to monitor our 3rd party authorizations, and the preferences page isn’t even loading to allow us to see what applications are accessing our accounts, or remove their access!
It loads just fine on my selling accounts that did not grant access to the forums. I get the error you depict above when trying to load that page through this posting ID.
My question also. I use the grant flow in my own API access and have asked the team why permission is needed when the data is in the public API database. As you know from the API, the application must provide a scope for the call. The grant screen has a link to what is being requested (the scope), but it wasn't yet working. Can you reach it now? I'm apparently not passing through that grant screen, so can't test.
In the community, there is also the option to use the Khoros login to access the core site. Can you find that in your quest? That might be the reason for the grant flow.
@coffeebean832 wrote:
@zamo-zuan wrote:To make things even worse, it says “Just go to my eBay if you change your mind”. I tried to go there to monitor our 3rd party authorizations, and the preferences page isn’t even loading to allow us to see what applications are accessing our accounts, or remove their access!
It loads just fine on my selling accounts that did not grant access to the forums. I get the error you depict above when trying to load that page through this posting ID.
That screenshot is directly from the account I am posting on now, which is our main account, and not a posting ID.
I have had this error for the past few months on this account. This account once had a selling manager token and a long string of tokens for all of the File Exchange sites. I had suspected something happened after File Exchange closed, but that is just speculation. On another account, one that had accessed Khoros and had used File Exchange until a year ago, the page opens and there are no 3P (third party) tokens at all.
Featured Posts
