What OAuth Scopes Are Needed For The TradingAPI Messaging APIs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-08-2025 09:21 PM
(disclaimer, I'm relatively new to using the Ebay Developer APIs, and Auth in general).
Hi, I've been digging into the Ebay TradingAPIs and want to use the GetMyMessages, and GetMyMemberMessages APIs, but can't find what scopes they require when using Authorization Code Grant Flow?
I've been able to test this on my personal account, and found that seemingly the only scope I needed to provide was `scope=https://api.ebay.com/oauth/api_scope`.
Looking at the description of that scope:
https://api.ebay.com/oauth/api_scope | View public data from eBay |
Using the authorization_code granted from the sign-in URL with just that scope, I was able to use my developer account to read my test account's personal messages. This doesn't seem like the intended implementation of that scope.
Am I missing something in how Ebay and the TradingAPIs handle scopes? Are the scopes just suggestive?
My general workflow is:
1. Go to my User Tokens
2. Grab the "Your branded eBay Production Sign In (OAuth)"
3. Strip off all scopes in the URL except `scope=https://api.ebay.com/oauth/api_scope`
4. Open an incognito browser, log in as my gmail account.
5. Go to the branded URL, and approve, copy the authorization code.
6. Go to my dev environment, use that authorization code to generate access and refresh tokens.
7. Use the refresh token to generate a new access token (as if the first one had expired).
8. Call the GetMyMessages API using the Python ebaysdk, with the access token.
9. Call is successful.
What OAuth Scopes Are Needed For The TradingAPI Messaging APIs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-09-2025 04:44 PM
Hi @nor_2167,
Best regards,
eBay Developer Support
What OAuth Scopes Are Needed For The TradingAPI Messaging APIs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-09-2025 07:31 PM
Hi developer-support@ebay.com ,
I wasn't able to find this in the documentation anywhere, was there somewhere that mentioned it? If not, it would be helpful to add it.
I'll also list my concern that from the OAuth Scopes documentation:
Scope Description
https://api.ebay.com/oauth/api_scope | View public data from eBay |
Allowing developers to read a user's messages by requesting a scope that has the above description, seems a bit innocuous. For buyers and sellers who are doing their research, they might be confused by the fact that an application they granted this scope may be able to read their messages.
