cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What OAuth Scopes Are Needed For The TradingAPI Messaging APIs?

(disclaimer, I'm relatively new to using the Ebay Developer APIs, and Auth in general).

 

Hi, I've been digging into the Ebay TradingAPIs and want to use the GetMyMessages, and GetMyMemberMessages APIs, but can't find what scopes they require when using Authorization Code Grant Flow?

 

I've been able to test this on my personal account, and found that seemingly the only scope I needed to provide was `scope=https://api.ebay.com/oauth/api_scope`.

 

Looking at the description of that scope:

 

https://api.ebay.com/oauth/api_scopeView public data from eBay

 

Using the authorization_code granted from the sign-in URL with just that scope, I was able to use my developer account to read my test account's personal messages. This doesn't seem like the intended implementation of that scope.

 

Am I missing something in how Ebay and the TradingAPIs handle scopes? Are the scopes just suggestive?

 

My general workflow is:

1. Go to my User Tokens

2. Grab the "Your branded eBay Production Sign In (OAuth)"

3. Strip off all scopes in the URL except `scope=https://api.ebay.com/oauth/api_scope`

4. Open an incognito browser, log in as my gmail account.

5. Go to the branded URL, and approve, copy the authorization code.

6. Go to my dev environment, use that authorization code to generate access and refresh tokens.

7. Use the refresh token to generate a new access token (as if the first one had expired).

8. Call the GetMyMessages API using the Python ebaysdk, with the access token.

9. Call is successful.

Message 1 of 3
latest reply
2 REPLIES 2

What OAuth Scopes Are Needed For The TradingAPI Messaging APIs?

Hi @nor_2167,

 

You can use the scope https://api.ebay.com/oauth/api_scope  to generate an OAuth user access token for making Trading API calls such as GetMyMessages and GetMyMemberMessages. These specific API calls do not require any additional scopes.

 

Best regards,
eBay Developer Support

Message 2 of 3
latest reply

What OAuth Scopes Are Needed For The TradingAPI Messaging APIs?

Hi developer-support@ebay.com ,

 

I wasn't able to find this in the documentation anywhere, was there somewhere that mentioned it? If not, it would be helpful to add it.

I'll also list my concern that from the OAuth Scopes documentation:

Scope Description

https://api.ebay.com/oauth/api_scope

View public data from eBay

 

Allowing developers to read a user's messages by requesting a scope that has the above description, seems a bit innocuous. For buyers and sellers who are doing their research, they might be confused by the fact that an application they granted this scope may be able to read their messages.

Message 3 of 3
latest reply