eBay's Authentication & Authorization (Auth & Auth) process is formally documented at
Here is a quick summary of how to get setup for Auth & Auth in the context of a web application.
To get setup for Auth & Auth:
1. Log into developer.ebay.com and navigate to My Account > Application Settings.
2. Select the sandbox or production keyset you want to setup for Auth & Auth and hit Customize the eBay User Consent Form.
3. Now set your Application Level Settings (application URL, application logo), and create an RuName if you don't already have one (generally you need only one RuName per keyset).
4. Initiate the Auth & Auth flow. In a web application, this is typically done with a HTML form with a Submit button like this :
<INPUT TYPE=\"submit\" NAME=AUTHORIZE VALUE=\"Launch Auth & Auth\" "
Where $runame is your RuName (known) and $sessid is your SessionID which is made by calling GetSessionID and storing the result in a session variable.
In other words, the SessionID is simply a unique ID that is retained for comparison with the subsequent FetchToken call to ensure that the FetchToken call is made by the same person who went thru the Auth & Auth web flow. This is to help prevent "man-in-the-middle" attacks.
NOTE. Before passing the SessionID string to the above URL, you will need to URLEncode the string obtained from the GetSessionID API
5. Make a FetchToken call, providing the same SessionID (the Original string obtained in GetSessionID API response) generated when the user went thru the Auth & Auth flow.
6. Once you get a token back, you can persist the token in a secure database. FetchToken need only be called once per user (and when the token expires again in 18 months).