1. Home
  2. Docs
  3. Current
  4. Getting started
  5. Using Postman to get token

Using Postman to get token

Prerequisites

  • You already have a public app or an in-house app
  • You already have an active store on production
  • Postman >= 8.0.0
  • (internet connection and electricity)

Public app gets authorization from sellers

A public app can get access tokens if sellers grant access to seller stores. We will demonstrate this process as below:

  1. Create a new Postman request
  2. Open Auth tab > Type > Select OAuth 2.0

Grant Type must be Authorization Code when you are getting authorization from sellers. And the result is:

  1. Now review your public app configuration and enter:
  • The auth endpoint and token endpoint from the global configuration
  • Your public app redirect URL
  • Your public app id and secret
  • Scopes you want to request from the seller. Add scope offline if you want to get a refresh_token along.
  • Any random state
  • Your public app authentication method (token endpoint auth method)
  1. Click Get new access token and seller gets a login screen. Here you must use a seller account to login to Seller Center:
  1. Seller clicks Đăng nhập (Login) and gets a consent screen. Seller will select 1 of their stores with necessary permissions and grant your app access:
  1. Seller clicks Cho phép truy cập (Allow) and you get back an access token:
  • Now use this access_token to make your first request to Developer Platform
  • This access_token will be expired after expired_in seconds. You can use the token until its expiry.
  • When a access_token is expired or revoked, any request with that token will result in 401 Unauthorized. You should rely on this 401 http status to request a new one or to refresh the token with refresh_token.

Common mistakes

  • Invalid callback URL: The callback URL must be exact as one of the registered redirect URIs in your public app. Sometimes, you might have some extra slash / at the end, use wrong scheme (http instead of https), add some query parameters (make it different from the registered ones), use wrong port.
  • Use unregistered scopes / wrong scopes
  • Invalid auth endpoint / token endpoint: Use wrong scheme (http instead of https) – remember that a POST request to http will be redirected to https as a GET. This sometimes makes developer confused.
  • Some developers might already have legacy sandbox apps (id and secret), and mistakenly use sandbox app credentials with other production configurations.
  • Use wrong client authentication method: Each app is configured with 1 token endpoint authentication method, using the wrong one will make your app unrecognizable therefore unauthenticated at the token endpoint.

In-house apps authenticate themselves

An in-house app is associated with exactly 1 store. The app only needs to authenticate itself to get an access token.

  1. Create a new Postman request
  2. Open Auth tab > Type > Select OAuth 2.0

Grant Type must be Client Credentials when an app authenticates itself. And the result is:

  1. Now review your in-house app configuration and enter:
  1. Click Get new access token to authenticate your app and get an access token (no refresh token for Client Credentials grant type).
  • Now use this access_token to make your first request to Developer Platform. Remember the essence of an in-house app, this access_token can only access exactly the associated store.
  • This access_token will be expired after expired_in seconds. You can use the token until its expiry.
  • When an access_token is expired or revoked, any request with that token will result in 401 Unauthorized. You should rely on this 401 http status to request a new one.

Common mistakes

  • Use wrong client authentication method: Each app is configured with 1 token endpoint authentication method, using the wrong one will make your app unrecognizable therefore unauthenticated at the token endpoint.

What’s next?

That’s merely a demo with no business value. You want to start coding and implement this part your own. Visit authentication to continue.

Was this article helpful to you? Yes 2 No 3

How can we help?

One thought on “Using Postman to get token

Leave a Reply

Your email address will not be published.