Using Postman to get token

A public app can get access tokens if sellers grant access to seller stores. We will demonstrate this process as below:

Grant Type must be Authorization Code when you are getting authorization from sellers. And the result is:

The auth endpoint and token endpoint from the global configuration
Your public app redirect URL
Your public app id and secret
Scopes you want to request from the seller. Add scope offline if you want to get a refresh_token along.
Any random state
Your public app authentication method (token endpoint auth method)

Click Get new access token and seller gets a login screen. Here you must use a seller account to login to Seller Center:

Seller clicks Đăng nhập (Login) and gets a consent screen. Seller will select 1 of their stores with necessary permissions and grant your app access:

Now use this access_token to make your first request to Developer Platform
This access_token will be expired after expired_in seconds. You can use the token until its expiry.
When a access_token is expired or revoked, any request with that token will result in 401 Unauthorized. You should rely on this 401 http status to request a new one or to refresh the token with refresh_token.

Invalid callback URL: The callback URL must be exact as one of the registered redirect URIs in your public app. Sometimes, you might have some extra slash / at the end, use wrong scheme (http instead of https), add some query parameters (make it different from the registered ones), use wrong port.
Use unregistered scopes / wrong scopes
Invalid auth endpoint / token endpoint: Use wrong scheme (http instead of https) – remember that a POST request to http will be redirected to https as a GET. This sometimes makes developer confused.
Some developers might already have legacy sandbox apps (id and secret), and mistakenly use sandbox app credentials with other production configurations.
Use wrong client authentication method: Each app is configured with 1 token endpoint authentication method, using the wrong one will make your app unrecognizable therefore unauthenticated at the token endpoint.

An in-house app is associated with exactly 1 store. The app only needs to authenticate itself to get an access token.

Grant Type must be Client Credentials when an app authenticates itself. And the result is:

Click Get new access token to authenticate your app and get an access token (no refresh token for Client Credentials grant type).

Now use this access_token to make your first request to Developer Platform. Remember the essence of an in-house app, this access_token can only access exactly the associated store.
This access_token will be expired after expired_in seconds. You can use the token until its expiry.
When an access_token is expired or revoked, any request with that token will result in 401 Unauthorized. You should rely on this 401 http status to request a new one.

Use wrong client authentication method: Each app is configured with 1 token endpoint authentication method, using the wrong one will make your app unrecognizable therefore unauthenticated at the token endpoint.

That’s merely a demo with no business value. You want to start coding and implement this part your own. Visit authentication to continue.

One thought on “Using Postman to get token”