# Obtaining an OAuth Application access token

Your calls to the eBay RESTful API will be fruitless if you don't obtain the proper authorization first. There are two kinds of authorization tokens: Application access and User access. These tokens are just long sequences of numbers you package up with your API calls. They expire every few hours.

This section concerns itself with application access tokens. They're limited, for example, they can't make changes to an account. Think of them as mostly being used for the kind of information you could view on eBay if you weren't logged in. You obtain them via a POST request. This article describes the anatomy of the post request.

User access tokens allow your app to make changes to the account.

# Using the API to obtain an Application access token

You'll need your client Id and client secret ahead of time, but you won't use them as is. You must also concatenate them with a colon character between them, then base64-encode the whole string. Suppose your client ID is YourCo-Proj-DDR-ab324 and your client secret is Foo-1234-effe. You would then do something like this:

b64.StdEncoding.EncodeToString([]byte("YourCo-Proj-DDR-ab324" + ":" + "Foo-1234-effe"))

The result would be big base 64-encoded string something like this, but longer:

ZVNuaXBlSW4tUmFwaWRmaXI=

Set that string aside for a moment.

# The POST

The endpoint to which the POST request looks like this:

https://api.ebay.com/identity/v1/oauth2/token

# The headers

There are two headers, an easily readable one named Content-type and a stanger one. It is the word Body followed by a space, then then items you base64'd earlier.

# The body (POST data)

The body, also known as the request payload, delineates how much access you are requesting. Your job is to request the least invasive access. It consists of the the text grant_type=client_credentials&scope= followed by a list of the scope parameters you're requesting. In this case it's as follows: https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope

# The entire POST request illustrated

Here are all the components of the POST request.

Component Purpose
POST https://api.ebay.com/identity/v1/oauth2/token
Header Content-Type: application/x-www-form-urlencoded
Header Authorization: Basic ZVNuaXBlSW4tUmFwaWRmaXI=
Body grant_type=client_credentials&scope=https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope

You can obtain a token by running the following through curl. This will only work if you base64'd your own access keys as shown above.

The curl command would look like this:

curl -X POST 'https://api.ebay.com/identity/v1/oauth2/token' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'Authorization: Basic  ZVNuaXBlSW4tUmFwaWRmaXI=' \
  -d 'grant_type=client_credentials&scope=https%3A%2F%2Fapi.ebay.com%2Foauth%2Fapi_scope'

# What a successful application token looks like

The successful result will be JSON output that looks something like this (but much much longer):

{"access_token":"v^1.1#i^1#f^0#I^3#p^1#r^0#t^H4sIAAAAAAAAAO                                               
VXa2wUVRTudrdVKA9TjQISXQeNr8zsndn3wK4uLA2r0BZ2KdIodR532oHZm                                               
XHuDO1qhKVoGxMIipAIAlYxChhQsIQQEIVEjRgFXwkx0QTwQXygCUET/uCd                                               
2aVsKwEKi5C4yWQz55577vd955x754J89ZD7uqZ0/T3cdV1lTx7kK10uugY
FVVMQ6xhhhGSqrcUhGrMplIWJNgU0npk1lGQqwuqGZmqAphDeVjBFcgGciH
k1PNGMEAOkqCAMkwGQBYJsiCEMX46WbC2wQNJGsqdqEAEXfgss5cowTr+aF
4mTrHg+ZdBjjebtgQBIkT44oUV+gdlE2fAXAJ8R+pgiBaDMMxEeIGJAkEoi
r/033eIUWZKhESMmT0zMTjQ2EnGYVmUdMyFncLosSrJBNs5IkgBEpFAwKET
CnBrXBSEimjajUjzmjIRNqtpNayKJltql2XmEWC+F1Xi+cgb7ZpmnIvGXCv
+hgAaN8j06amhTaY5Qjsa/d6wV++8ARSdqgIEM9EMmvmdIylA9cqBqC2EnE
iQeLFIfTYOyHM5MssZ86CpK5wASQHXmZWFhiyy/qDE+CMSJMVQVCIDUUki+
Rs4wc2moKNhwsVV/TpLIJnnF6dm9PiiKdgyEg+BiouzapgQt69M4vKnZphY
yc05STTQrNFygDIs0y8CcK1WAfWxltHlTxJmAamqJAo4m+7ERfY/kd5F55a
MAhdFq9JTk4zuf/gLBoUvSkaMqF4Bb4rff1vufEK50d3uraDTtdWfFEGPnA
u/7P6m5F7d8xgY1XezHuKma0qu2WDs2ZEqeuQtw+koCDBYFSYIQs1g3NlRD
IrXj8AdWvnb3qFVvLZ3ynqf+xpfVyctSyduWrZkzxt25w+h9zbO7d/1nM8N
oVLff+Nad7Z8snW2/489DeBQ/qe2edOvXzG+s81hE4Cw1tX7p5yb4F09sW7
teFdvHXPU3+8Xtt1d/r4E++0Hk21/rRw2/Nvuh4f+YBaoRydm8kuub3u1Yd
HpvmcYteG7jae37V/12/XtiU+Pr/nxwy+ObjxZZ/YV0vcP+sMpT/EQAAA="
,"expires_in":7200,"token_type":"Application Access Token"}         

Along with the token you get other information, such as an expiration date (2 hours away in this case).

# Results of an unsuccesful call return very specific error messages

If something went wrong, for example, you used your production secrets for the sandbox, you'll get much briefer return:

{"error":"invalid_client","error_description":"client authentication failed"}

Read these errors carefully. They are usually your most important diagnostic tool, returning accurate and helpful explanations.

# Using the token

The token can then be used in a call, although obviously it's smarter to get your token via a direct call to the API in code.

  • Copy the whole thing and paste it into your code as appropriate. Here's a fragment of the example taken from the getItem API example:
	token :=
    "v^1.1#i^1#I^3#r^0#f^0#p^3#t^H4sIAAAAAA
    AAAOVYa2wUVRTu9rEEsWCEyENJlqkQBWb3znN3
    JuySpS3tpvS55WFRyZ07d9qxszPLzGzbDRFqEU
    yMCvEHBJBQhaCSSCQGExOUKEQC/DGKgQCJiQaR
    RIkSIkYT453tg21RoC0/NnH/bObc8/q+c86dew
    f0+icv3Fq79Va5b1Jxfy/oLfb5mClgsr9s0dSS
    4jllRSBPwdff+2RvaV/JT0scmDLScgt20pbp4E
    BPyjAdOSeMUhnblC3o6I5swhR2ZBfJyXj9CpkN
    AjltW66FLIMKJKqiFMdgoESwhCVJkHhJIVJzyG
    erFaW0sKTwkQgK8yojqiJD1h0ngxOm40LTjVIs
    YCQa8DQTbgWCLPAyKwZZUWqjAquw7eiWSVSCgI
    rl0pVztnZerndPFToOtl3ihIol4suTjfFEVXVD
    65JQnq/YIA9JF7oZZ+RTpaXiwCpoZPDdwzg5bT
    mZQQg7DhWKDUQY6VSODyUzjvRzVGt8hAEKgjwb
    0aCAtAdC5XLLTkH37nl4El2ltZyqjE1Xd7P3Yp
    SwobyAkTv41EBcJKoC3l9zBhq6pmM7SlUviz+z
    MlndQgWSTU221aWrWPWQMpIoASBwIhXToI06oG
    liYzDIgKdBikdFqbRMVfcIcwINlrsMk4zxaF74
    PF6IUqPZaMc118smXy88zJ/Y5hV0oIIZt8P0ao
    pThIRA7vHe7A+1w+0GeFANwTJCmGW5CEBhxCgs
    /NeG8GZ9jE0R8+oSb2oKeblgBWbpFLQ7sZs2IM
    I0IvRmUtjWVZkTNBJew7QqShrNS5pGK4Iq0oyG
    McBYUZAU+b/0huvaupJx8XB/jF7IAYxSHp+yDj
    XZtTqx2ZpNY2q0Zm7LGWyKHidKdbhuWg6Furu7
    QAA"

You'll have to repeat this process as the token expires.

# ebayrest demo code

# See also