ShipScript has been an eBay Community volunteer since 2003, specializing in HTML, CSS, Scripts, Photos, Active Content, Technical Solutions, and online Seller Tools.
There are two types of access tokens:
The client_credential is for the application to fetch public data;
whereas, the user-consent is meant to gain access to a seller's account details.
See this page if you are trying to get into a user's account:
https://developer.ebay.com/api-docs/static/oauth-consent-request.html
See this page if you are trying to access public data:
https://developer.ebay.com/api-docs/static/oauth-client-credentials-grant.html
grant_type=client_credential (public data)
https://developer.ebay.com/api-docs/static/oauth-client-credentials-grant.html
This construction is for generating a client access token (your application is the client). This POST would be used in an API that accesses public data. The token is valid for 2 hours (7200 seconds). When the token expires, you must mint a new token using the same process.
curl -X POST 'https://api.sandbox.ebay.com/identity/v1/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Basic UkVTVFRlc3...wZi1hOGZhLTI4MmY=' \
-d 'grant_type=client_credentials&scope=https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope https:%3A%2F%2api.ebay.com%2oauth%2api_scope%2sell.account'
grant-type=authorization_code (private data)
https://developer.ebay.com/api-docs/static/oauth-authorization-code-grant.html
This method is for generating a user token to access private data within a seller account.
If you are playing in the sandbox, then you must have a sandbox user.
If working in production environment, then a registered eBay user would be needed.
There are three parts to the user authentication process:
The first part is getting the user to sign into eBay to grant permission to access that user's account.
GET https://auth.sandbox.ebay.com/oauth2/authorize?
client_id=<app-client-id-value>&
locale=<locale-value>& // optional
prompt=login // optional
redirect_uri=<app-RuName-value>&
response_type=code&
scope=<scopeList>& // a URL-encoded string of space-separated scopes
state=<custom-state-value>& // optionalYou can launch the feature programmatically with a GET (above), or can send the user to eBay's token setting webpage. In either case, the user must manually log into eBay to consent.
https://developer.ebay.com/api-docs/static/oauth-consent-request.html
The redirect_uri is your API-encoded website landing page that will process the query string that eBay has added to the URI after the user agrees to account access. Your app must be ready to automatically process the query string to pull in the user authorization code. Below is an example of the query that your application would receive that includes the authorization "code". As you can see, it expires in 5 minutes, so must be used quickly:
https://www.example.com/acceptURL.html?
state=<client_supplied_state_value>&
code=v%5E1.1% ... NjA%3D&
expires_in=299This same 5-minute authorization code can be generated within the user tokens page of your Developer account.
The second part is exchanging the authorization "code" for a token before it expires in 5 minutes.
https://developer.ebay.com/api-docs/static/oauth-auth-code-grant-request.html
Notice in the example below that the authorization "code" from the above user exchange is passed in this POST operation.
curl -X POST 'https://api.sandbox.ebay.com/identity/v1/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Basic RGF2eURldmUtRG2 ... ZTVjLTIxMjg=' \ <B64-encoded-oauth-credentials>
-d 'grant_type=authorization_code&
code=v%5E1.1%23i%5E1%23f% ... 3D%3D&
redirect_uri=Davy_Developer-DavyDeve-DavysT-euiukxwt'The response from the POST operation is a 2 hour access token and an 18 month refresh token. For short duration access, the two hours might be sufficient. But if engaging with this user over a period of time, then store the refresh token.
{
"access_token": "v^1.1#i^1#p^3#r^1...XzMjRV4xMjg0",
"expires_in": 7200,
"refresh_token": "v^1.1#i^1#p^3#r^1...zYjRV4xMjg0",
"refresh_token_expires_in": 47304000,
"token_type": "User Access Token"
}
The third (optional) part involves the 18-month refresh token that is linked directly to the user account. It has only one purpose, and that is to produce a new 2-hour access token that can be used in an application. Making a call with the refresh token requires 'grant_type=refresh_token', along with the token itself within the POST. The scopes must also be included as a space-delimited list that must be URL-encoded.
https://developer.ebay.com/api-docs/static/oauth-refresh-token-request.html
curl -X POST 'https://api.sandbox.ebay.com/identity/v1/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Basic RGF2eURldmUtRG2 ... ZTVjLTIxMjg=' \
-d 'grant_type=refresh_token&
refresh_token=v^1.1#i^1#p^3# ... fMSNFXjEyODQ=&
scope=https://api.ebay.com/oauth/api_scope/sell.account%20
https://api.ebay.com/oauth/api_scope/sell.inventory'This will result in the issuance of another 2-hour access token, which would be used to make calls to the API for access to private data:
{
"access_token": "v^1.1#i ... AjRV4yNjA=",
"expires_in": 7200,
"token_type":"User Access Token"
}
In summary, if playing in the sandbox, a sandbox user is required. If working in production mode, a real eBay user is required.
