# Using OAuth and Application Keys with the eBay API: eBay OAuth explained
TODO: Get picture of the consent page
Before your app makes any calls to the eBay RESTful API, it needs an OAuth token proving who you are (or more accurately, proving that your application has permission to the API). The OAuth token is just a long string that you pass to the eBay RESTful API call.
The token isn't sufficient to make a call to a RESTful endpoint. It must be accompanied by the proper headers and a relevant message body.
The token is part of a key/value pair field issued upon a successful request. Tokens have an expiration time in seconds passed along with the token itself as another field in the JSON payload.
There are two kinds of tokens: user, and application.
# User tokens
A user token acts on behalf of the user and can make changes to the account. Actions it might perform include creating and updating lists, making purchases on behalf of the user, and place auction bids. Obtaining a user token is contingent upon sending the user to a page that explains where your application comes from, what permissions are going to be granted, and how your privacy policy works.
# Application tokens
An application token requires fewer permissions and is used for lower-impact purposes, such as doing searches or obtaining information about an item listing.
# Access tokens have scopes
A token isn't a global value. Its powers are delineated by a list of scopes you request when obtaining the token. See Specifying OAuth scopes
# Making the API call to obtain a token
In order to get the OAuth token, you must first make an API call to obtain it. You will pass it some critical information, namely your App ID, also known as your Client ID) and your Client ID, also know as your Client Secret.
These two strings are available to you through the Application Keys page, which requires a login to view. They will look something like this:
Sandbox
| Your App Name | Request another keyset ⓘ |
|---|---|
| App ID (Client ID) | YourCo-Proj-SBX-ab324-lle17-e123 |
| Dev ID | ee9164c-4f21-8905-fcba401969403 |
| Cert ID (Client Secret) | SBX-1234-abcd-5678-effe |
Production
| Your App Name | Request another keyset ⓘ |
|---|---|
| App ID (Client ID) | YourCo-Something-PRD-0000-6f11b |
| Dev ID | ee9164c-4f21-8905-fcba401969403 |
| Cert ID (Client Secret) | PRD-83fd-ffcc-400e-8676-a441 |
# Production vs. Sandbox
You probably already know this, but Production means the actual eBay site, and Sandbox is a simulated eBay site you can use for testing. As you can see, you get a different set of credentials for each one. You pass those credentials to the API call and they're used to generate the token. You will also use different URLs (known as endpoints) to get the token.
# Example endpoint for a call to the ebay production API
Here's an example HTTP address for the production API, aka real live eBay:
https://api.ebay.com/identity/v1/oauth2/token
# Example endpoint for a call to the sandbox
Here's the URL to a Sandbox call:
https://api.sandbox.ebay.com/identity/v1/oauth2/token
# See also
# Complete code examples
- Alex Pliutau's Getting started with OAuth2 in Go
- Ramblings of a cloud engineer: How to do Google sign-in with Go, Part 1 and Part 2
- TutorialEdge.net Go OAuth2 Tutorial
- Medium: Golang oAuth2 Goole Example for Web and API
- eBay OAuth client library
- eBay's OAuth client library for Java
- eBay's OAuth client library for C#
# Overviews
- Stackoverflow: 400 error getting oauth user token
- eBay: Obtaining an application access token
- eBay: Obtaining a user token Okta: What is the OAuth 2.0 Authorization Code Grant Type?
- Stackoverflow: eBay oauth token and refresh tokens
- eBay: Getting Your Keys.
- eBay: Specifying OAuth scopes
- eBay: Access token types
- eBay: Parts of a REST request
- eBay: Specifying OAuth scopes
- eBay: The authorization code grant flow
- eBay: Obtaining an OAuth Application access token for a GET request
- OAuth Token Flow/Quick OAuth Guide - eBay Knowledgebase
- eBay REST API OAuth2: Plain English Edition