Skip to main content
Published: April 23 2015, 12:05:00 AMUpdated: January 18 2023, 9:28:43 AM

eBay's Authentication & Authorization (Auth & Auth) process is formally documented at Get Auth`n`Auth tokens guide.

Here is a quick summary of how to get setup for Auth & Auth in the context of a web application.

To get setup for Auth & Auth:

1. Log into developer.ebay.com and navigate to Home > Application Keys

2. Select the sandbox or production keyset you want to setup for Auth & Auth and click the User Tokens link that's displayed next to your Client ID:

3Click the Get a Token from eBay via Your Application drop down and create an RuName if you don't already have one (generally you need only one RuName per keyset).

4. Configuring the RuName values: Display Title, Privacy Policy URL, Auth Accepted URL and Auth Declined URL before using the RuName to create a User token

5. Initiate the Auth & Auth flow. In a web application, this is typically done with a HTML form with a Submit button like this :
 
   <INPUT TYPE=\"submit\" NAME=AUTHORIZE VALUE=\"Launch Auth & Auth\" "
             .  "onclick=\"window.open('https://signin.ebay.com/ws/eBayISAPI.dll?SignIn&runame=$runame&SessID=$sessid');\">\n"
 
Where $runame is your RuName (known) and $sessid is your SessionID which is made by calling GetSessionID and storing the result in a session variable.  
In other words, the SessionID is simply a unique ID that is retained for comparison with the subsequent FetchToken call to ensure that the FetchToken call is made by the same person who went thru the Auth & Auth web flow. This is to help prevent "man-in-the-middle" attacks.  

      NOTE. Before passing the SessionID string to the above URL, you will need to URLEncode the string obtained from the GetSessionID API

6. Make a FetchToken call, providing the same SessionID (the Original string obtained in GetSessionID API response) generated when the user went thru the Auth & Auth flow. 

7. Once you get a token back, you can persist the token in a secure database.  FetchToken need only be called once per user (and when the token expires again in 18 months).
 

 

How well did this answer your question?
Answers others found helpful