For full functionality of this site it is necessary to enable JavaScript.
Here are the instructions how to enable JavaScript in your web browser.

Knowledge base

Find the answer to your question

Advanced Search PView

Search terms
Search Type
Product
Category
Language
Format
SDK
Sort by
Direction

Auth and Auth Quick Start

  • Answer ID 1198
  • Published 04/23/2015 12:05 AM
  • Updated 04/23/2015 12:05 AM
  • Permalink https://ebaydts.com/eBayKBDetails?KBid=1198
Product

eBay's Authentication & Authorization (Auth & Auth) process is formally documented at http://developer.ebay.com/Devzone/guides/ebayfeatures/Basics/Tokens.html

Here is a quick summary of how to get setup for Auth & Auth in the context of a web application.


To get setup for Auth & Auth:

1. Log into developer.ebay.com and navigate to My Account > Application Settings.

2. Select the sandbox or production keyset you want to setup for Auth & Auth and hit Customize the eBay User Consent Form.

3. Now set your Application Level Settings (application URL, application logo), and create an RuName if you don't already have one (generally you need only one RuName per keyset).

4. Initiate the Auth & Auth flow. In a web application, this is typically done with a HTML form with a Submit button like this :
 
   <INPUT TYPE=\"submit\" NAME=AUTHORIZE VALUE=\"Launch Auth & Auth\" "
             .  "onclick=\"window.open('https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&runame=$runame&SessID=$sessid');\">\n"
 
Where $runame is your RuName (known) and $sessid is your SessionID which is made by calling GetSessionID and storing the result in a session variable.  
In other words, the SessionID is simply a unique ID that is retained for comparison with the subsequent FetchToken call to ensure that the FetchToken call is made by the same person who went thru the Auth & Auth web flow. This is to help prevent "man-in-the-middle" attacks.  

      NOTE. Before passing the SessionID string to the above URL, you will need to URLEncode the string obtained from the GetSessionID API

5. Make a FetchToken call, providing the same SessionID (the Original string obtained in GetSessionID API response) generated when the user went thru the Auth & Auth flow. 

6. Once you get a token back, you can persist the token in a secure database.  FetchToken need only be called once per user (and when the token expires again in 18 months).
 

How well did this answer your question?

Answers others found helpful

Print Email This Page Delicious Digg Facebook Reddit StumbleUpon Twitter