# Obtaining an OAuth Application access token
Your calls to the eBay RESTful API will be fruitless if you don't obtain the proper authorization first. There are two kinds of authorization tokens: Application access and User access. These tokens are just long sequences of numbers you package up with your API calls. They expire every few hours.
This section concerns itself with application access tokens. They're limited, for example, they can't make changes to an account. Think of them as mostly being used for the kind of information you could view on eBay if you weren't logged in. You obtain them via a POST request. This article describes the anatomy of the post request.
User access tokens allow your app to make changes to the account.
# Using the API to obtain an Application access token
You'll need your client Id and client secret ahead of time,
but you won't use them as is. You must also concatenate them
with a colon character between them, then base64-encode the whole
string. Suppose your client ID is YourCo-Proj-DDR-ab324
and your client secret is Foo-1234-effe
.
You would then do something like this:
b64.StdEncoding.EncodeToString([]byte("YourCo-Proj-DDR-ab324" + ":" + "Foo-1234-effe"))
The result would be big base 64-encoded string something like this, but longer:
ZVNuaXBlSW4tUmFwaWRmaXI=
Set that string aside for a moment.
# The POST
The endpoint to which the POST request looks like this:
https://api.ebay.com/identity/v1/oauth2/token
# The headers
There are two headers, an easily readable one named
Content-type
and a stanger one. It is the word
Body
followed by a space, then then items
you base64'd earlier.
# The body (POST data)
The body, also known as the request payload, delineates how much access you are requesting. Your job is to
request the least invasive access.
It consists of the the text
grant_type=client_credentials&scope=
followed by a list
of the scope parameters you're requesting.
In this case it's as follows:
https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope
# The entire POST request illustrated
Here are all the components of the POST request.
Component | Purpose |
---|---|
POST | https://api.ebay.com/identity/v1/oauth2/token |
Header | Content-Type: application/x-www-form-urlencoded |
Header | Authorization: Basic ZVNuaXBlSW4tUmFwaWRmaXI= |
Body | grant_type=client_credentials&scope=https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope |
You can obtain a token by running the following through curl. This will only work if you base64'd your own access keys as shown above.
The curl command would look like this:
curl -X POST 'https://api.ebay.com/identity/v1/oauth2/token' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Basic ZVNuaXBlSW4tUmFwaWRmaXI=' \
-d 'grant_type=client_credentials&scope=https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope'
# What a successful application token looks like
The successful result will be JSON output that looks something like this (but much much longer):
{"access_token":"v^1.1#i^1#f^0#I^3#p^1#r^0#t^H4sIAAAAAAAAAO
VXa2wUVRTudrdVKA9TjQISXQeNr8zsndn3wK4uLA2r0BZ2KdIodR532oHZm
XHuDO1qhKVoGxMIipAIAlYxChhQsIQQEIVEjRgFXwkx0QTwQXygCUET/uCd
2aVsKwEKi5C4yWQz55577vd955x754J89ZD7uqZ0/T3cdV1lTx7kK10uugY
FVVMQ6xhhhGSqrcUhGrMplIWJNgU0npk1lGQqwuqGZmqAphDeVjBFcgGciH
k1PNGMEAOkqCAMkwGQBYJsiCEMX46WbC2wQNJGsqdqEAEXfgss5cowTr+aF
4mTrHg+ZdBjjebtgQBIkT44oUV+gdlE2fAXAJ8R+pgiBaDMMxEeIGJAkEoi
r/033eIUWZKhESMmT0zMTjQ2EnGYVmUdMyFncLosSrJBNs5IkgBEpFAwKET
CnBrXBSEimjajUjzmjIRNqtpNayKJltql2XmEWC+F1Xi+cgb7ZpmnIvGXCv
+hgAaN8j06amhTaY5Qjsa/d6wV++8ARSdqgIEM9EMmvmdIylA9cqBqC2EnE
iQeLFIfTYOyHM5MssZ86CpK5wASQHXmZWFhiyy/qDE+CMSJMVQVCIDUUki+
Rs4wc2moKNhwsVV/TpLIJnnF6dm9PiiKdgyEg+BiouzapgQt69M4vKnZphY
yc05STTQrNFygDIs0y8CcK1WAfWxltHlTxJmAamqJAo4m+7ERfY/kd5F55a
MAhdFq9JTk4zuf/gLBoUvSkaMqF4Bb4rff1vufEK50d3uraDTtdWfFEGPnA
u/7P6m5F7d8xgY1XezHuKma0qu2WDs2ZEqeuQtw+koCDBYFSYIQs1g3NlRD
IrXj8AdWvnb3qFVvLZ3ynqf+xpfVyctSyduWrZkzxt25w+h9zbO7d/1nM8N
oVLff+Nad7Z8snW2/489DeBQ/qe2edOvXzG+s81hE4Cw1tX7p5yb4F09sW7
teFdvHXPU3+8Xtt1d/r4E++0Hk21/rRw2/Nvuh4f+YBaoRydm8kuub3u1Yd
HpvmcYteG7jae37V/12/XtiU+Pr/nxwy+ObjxZZ/YV0vcP+sMpT/EQAAA="
,"expires_in":7200,"token_type":"Application Access Token"}
Along with the token you get other information, such as an expiration date (2 hours away in this case).
# Results of an unsuccesful call return very specific error messages
If something went wrong, for example, you used your production secrets for the sandbox, you'll get much briefer return:
{"error":"invalid_client","error_description":"client authentication failed"}
Read these errors carefully. They are usually your most important diagnostic tool, returning accurate and helpful explanations.
# Using the token
The token can then be used in a call, although obviously it's smarter to get your token via a direct call to the API in code.
- Copy the whole thing and paste it into your code as appropriate. Here's a fragment of the example taken from the getItem API example:
token :=
"v^1.1#i^1#I^3#r^0#f^0#p^3#t^H4sIAAAAAA
AAAOVYa2wUVRTu9rEEsWCEyENJlqkQBWb3znN3
JuySpS3tpvS55WFRyZ07d9qxszPLzGzbDRFqEU
yMCvEHBJBQhaCSSCQGExOUKEQC/DGKgQCJiQaR
RIkSIkYT453tg21RoC0/NnH/bObc8/q+c86dew
f0+icv3Fq79Va5b1Jxfy/oLfb5mClgsr9s0dSS
4jllRSBPwdff+2RvaV/JT0scmDLScgt20pbp4E
BPyjAdOSeMUhnblC3o6I5swhR2ZBfJyXj9CpkN
AjltW66FLIMKJKqiFMdgoESwhCVJkHhJIVJzyG
erFaW0sKTwkQgK8yojqiJD1h0ngxOm40LTjVIs
YCQa8DQTbgWCLPAyKwZZUWqjAquw7eiWSVSCgI
rl0pVztnZerndPFToOtl3ihIol4suTjfFEVXVD
65JQnq/YIA9JF7oZZ+RTpaXiwCpoZPDdwzg5bT
mZQQg7DhWKDUQY6VSODyUzjvRzVGt8hAEKgjwb
0aCAtAdC5XLLTkH37nl4El2ltZyqjE1Xd7P3Yp
SwobyAkTv41EBcJKoC3l9zBhq6pmM7SlUviz+z
MlndQgWSTU221aWrWPWQMpIoASBwIhXToI06oG
liYzDIgKdBikdFqbRMVfcIcwINlrsMk4zxaF74
PF6IUqPZaMc118smXy88zJ/Y5hV0oIIZt8P0ao
pThIRA7vHe7A+1w+0GeFANwTJCmGW5CEBhxCgs
/NeG8GZ9jE0R8+oSb2oKeblgBWbpFLQ7sZs2IM
I0IvRmUtjWVZkTNBJew7QqShrNS5pGK4Iq0oyG
McBYUZAU+b/0huvaupJx8XB/jF7IAYxSHp+yDj
XZtTqx2ZpNY2q0Zm7LGWyKHidKdbhuWg6Furu7
QAA"
You'll have to repeat this process as the token expires.
# ebayrest demo code
- On GitHub: apptoken.go