ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.
1 BEST ANSWER
Accepted Solutions
Almost all of the API calls require a token (a very few require only an AppID).
OAuth tokens fall into two categories:
1) The first is "Client credentials grant flow" for applications that do not access user accounts, where the "client" is the application. eBay grants the application access to those APIs.
2) The other is "Authorization code grant flow" for applications that access user accounts, where a user-token is issued with the account holder's consent. The API calls that access accounts will fail without a user token.
You can issue a token to yourself (or to your application) for most of the general calls and then simply refresh it as needed. That way, you can be the one providing consent. But if you want to get into an account, the token must be specific to the user-account that the call is accessing. At least one consent is required to issue a token, which can be regularly refreshed for up to 18 months. Then the third-party permissions would again be required.
The "Authorization grant flow" can be initiated from your own application to display an authorization screen for the user. When the user clicks the button to agree, eBay will redirect the user to a "success" page, which can also be a page on your own server. Thus, your server can respond to the data that eBay attaches to the "success" URL (which has a 5 minute life span) and can silently process the longer-lived token and refresh token after the consent has been given.
Did you click the option (2) to get a user token by signing into your sandbox user?
When you do so, the token box (3) will populate, as will the IAF token (4).
Then click the "Execute" button to see the response header and response body.
Because I haven't created a sandbox user, I tested with the production endpoint and there were no issues retrieving the full list of categories.
Almost all of the API calls require a token (a very few require only an AppID).
OAuth tokens fall into two categories:
1) The first is "Client credentials grant flow" for applications that do not access user accounts, where the "client" is the application. eBay grants the application access to those APIs.
2) The other is "Authorization code grant flow" for applications that access user accounts, where a user-token is issued with the account holder's consent. The API calls that access accounts will fail without a user token.
You can issue a token to yourself (or to your application) for most of the general calls and then simply refresh it as needed. That way, you can be the one providing consent. But if you want to get into an account, the token must be specific to the user-account that the call is accessing. At least one consent is required to issue a token, which can be regularly refreshed for up to 18 months. Then the third-party permissions would again be required.
The "Authorization grant flow" can be initiated from your own application to display an authorization screen for the user. When the user clicks the button to agree, eBay will redirect the user to a "success" page, which can also be a page on your own server. Thus, your server can respond to the data that eBay attaches to the "success" URL (which has a 5 minute life span) and can silently process the longer-lived token and refresh token after the consent has been given.
