Skip to main content
Published: August 24 2020, 12:35:00 PMUpdated: November 28 2020, 11:24:42 PM

This is a quick guide to illustrate the steps to get you started with OAuth for getting an User access token 

Getting the values needed for requesting user token 

  Retrieve your app's OAuth Credentials from Application Keys page and OAuth enabled RuName values of your App from User tokens page:

      client_id         - App ID (Client ID)

      clientSecret    - Cert ID (Client Secret)

      redirectUri      - OAuth Enabled RuName for the clientId

      redirectUrl      - Auth Accepted URL associated with the redirectUri

      a list of OAuth Scope required for access to the REST interfaces you plan to call

  REF: Getting the values needed to request a User token


OAuth Token Flow

Step 1. Get the user permission and obtain authorize code for your clientId<your_client_id>
scope=<URL-encoded-scope-name(s)> &

An example <URL-encoded-scope-name(s)>:
1. multiple OAuth scopes must be separated in the string with spaces and then URL-encode the list of the scopes 2.  Pass prompt parameter and set to login in order to force an user to login in when you redirect them to grant application access page, even if they already have an existing user session 

      Below is an example redirectUrl after the user grants permission:

      <URL-decoded-auth-code>: URL decode the returned code value (
                An example URL-decoded-auth-codev^1.1#i^1#r^1#p^3#I^3#f^0#t^Ul4xXzE0QzJGQ0I2RDA2NENDMUY4MDkwRjQ3NDE3MzdENzU2XzJfMSNFXjEyODQ=


Step 2. Exchange the authorization code for a user token and refresh_token

     <B64-encoded-oauth-credentials>: Base64 encode the following: <your_client_id>:<your_client_secret(

      The following example call requests access token for the sandbox

POST /identity/v1/oauth2/token HTTP/1.1
Authorization: Basic <B64-encoded-oauth-credentials>
Content-Type: application/x-www-form-urlencoded


      A successful response to the request containing access_token, expires_in,refresh_token and refresh_token_expires_in values:

 "access_token": "v^1.1#i^1#r^0#I^3#p^3#...AAAOVXe2xTVRhf121kjo0YUGDxUS5v5LbnPnrbe0Mr3YO0uE",
 "token_type": "User Access Token",
 "expires_in": 7200,
refresh_token": "v^1.1#i^1#p^3#f^0#I^3#r^1#t^Ul4yX0Y0OUY1RjRENTU2NDZENTBFQ0E4ODg3MzE2Q0RFQj
    "refresh_token_expires_in": 47304000 }

Step 3. When the access token expires, use the refresh_token obtained in the step 2 to generate a new access token.    

HTTP headers:
   Content-Type = application/x-www-form-urlencoded
   Authorization = Basic <B64-encoded-oauth-credentials>
 Request body:
   grant_type=refresh_token&refresh_token=<refresh_token value obtained in the step 2>&scope=<URL-encoded-scope-name(s)>

NOTE.URL-encoded-scope-name(s) must match the ones appended to the signin url in the Step 1.
POST /identity/v1/oauth2/token HTTP/1.1
Authorization: Basic <B64-encoded-oauth-credentials>
Content-Type: application/x-www-form-urlencoded


     eBay mints a fresh access token in response similar to the following:
    "access_token": "v^1.1#i ... AjRV4yNjA=",
    "token_type":"User Access Token",
    "expires_in": 7200,
    "refresh_token": "N/A"

 Attached, you can find the Postman sample project for the OAuth token API calls.

Additional Info    

API Documentation: Getting a User access token

How well did this answer your question?
Answers others found helpful