eBay REST API OAuth2: Plain English Edition

Client credentials grant👎

Authorization code grant 👍

  1. Your app redirects the user to a page (hosted by eBay) where they login with their account credentials. Note: This URI also contains your client_id and the API scopes you plan to work with and is provided in the eBay dev portal labeled Your branded eBay Production Sign In (OAuth)
    Example: https://auth.ebay.com/oauth2/authorize?client_id=TestAcct-0123-4567–890d-a1bcde23456&response_type=code&redirect_uri=Test_Account-TestAcct-0123-4-dxluzra&scope=https://api.ebay.com/oauth/api_scope%20https://api.ebay.com/oauth/api_scope/sell.marketing.readonly%20https://api.ebay.com/oauth/api_scope/sell.marketing
  2. eBay redirects the user back to your application to a URI you have provided beforehand with an authorization code appended.
    Example: https://localhost:3000?code=<authentication code>
  3. Your application parses the authorization code from the URI and uses it to make a POST call to the eBay API for an access token. (Don’t forget to Base64 encode your client_id and client_secret. With Node.js, I use the btoa npm package along with qs to compose my request using fetch.
fetch(‘https://api.ebay.com/identity/v1/oauth2/token', {
method: ‘post’,
headers: {
‘Content-Type’: ‘application/x-www-form-urlencoded’,
‘Authorization’: ‘Basic ‘ + btoa(`${clientId}:${clientSecret}`)
body: qs.stringify({
grant_type: “authorization_code”,
// parsed from redirect URI after returning from eBay,
code: authCode,
// this is set in your dev account, also called RuName
redirect_uri: ‘Test_Account-TestAcc-0123–4-abcdefg’
.then(response => response.json())
.catch(err => console.log(err));
"access_token": "v^1.1#i^1#p^3#r^1...XzMjRV4xMjg0",
"expires_in": 7200,
"refresh_token": "v^1.1#i^1#p^3#r^1...zYjRV4xMjg0",
"refresh_token_expires_in": 47304000,
"token_type": "User Access Token"
“message”:”Invalid access token”,
“longMessage”:”Invalid access token. Check the value of the Authorization HTTP request header.”

Terms to Understand:

  • client_id: Called App ID in the “Key Sets” of the developer portal
  • client_secret: Called Cert ID in the “Key Sets” section of the dev portal
  • RuName: Redirect URL name Ex: Test_Account-TestAcc-0123–4-abcdefg
  • authorization code: code used to request access token
  • access token: token used to authenticate requests to the eBay API
  • refresh token: token used to refresh the access token when it expires



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abe Flansburg

Abe Flansburg

Devops / Software / Data Engineer / Follower of Jesus Christ