Prerequisites
- You already have a public app or an in-house app
- You already have an active store on production
- Postman >= 8.0.0
- (internet connection and electricity)
Public app gets authorization from sellers
A public app can get access tokens if sellers grant access to seller stores. We will demonstrate this process as below:
- Create a new Postman request
- Open Auth tab > Type > Select OAuth 2.0
Grant Type must be Authorization Code when you are getting authorization from sellers. And the result is:
- Now review your public app configuration and enter:
- The auth endpoint and token endpoint from the global configuration
- Your public app redirect URL
- Your public app id and secret
- Scopes you want to request from the seller. Add scope
offline
if you want to get arefresh_token
along. - Any random state
- Your public app authentication method (token endpoint auth method)
- Click Get new access token and seller gets a login screen. Here you must use a seller account to login to Seller Center:
- Seller clicks Đăng nhập (Login) and gets a consent screen. Seller will select 1 of their stores with necessary permissions and grant your app access:
- Seller clicks Cho phép truy cập (Allow) and you get back an access token:
- Now use this
access_token
to make your first request to Developer Platform - This
access_token
will be expired afterexpired_in
seconds. You can use the token until its expiry. - When a access_token is expired or revoked, any request with that token will result in 401 Unauthorized. You should rely on this 401 http status to request a new one or to refresh the token with
refresh_token
.
Common mistakes
- Invalid callback URL: The callback URL must be exact as one of the registered redirect URIs in your public app. Sometimes, you might have some extra slash
/
at the end, use wrong scheme (http instead of https), add some query parameters (make it different from the registered ones), use wrong port. - Use unregistered scopes / wrong scopes
- Invalid auth endpoint / token endpoint: Use wrong scheme (http instead of https) – remember that a POST request to http will be redirected to https as a GET. This sometimes makes developer confused.
- Some developers might already have legacy sandbox apps (id and secret), and mistakenly use sandbox app credentials with other production configurations.
- Use wrong client authentication method: Each app is configured with 1 token endpoint authentication method, using the wrong one will make your app unrecognizable therefore unauthenticated at the token endpoint.
In-house apps authenticate themselves
An in-house app is associated with exactly 1 store. The app only needs to authenticate itself to get an access token.
- Create a new Postman request
- Open Auth tab > Type > Select OAuth 2.0
Grant Type must be Client Credentials when an app authenticates itself. And the result is:
- Now review your in-house app configuration and enter:
- The token endpoint from the global configuration
- Your in-house app id and secret
- Scopes you want to request
- Your in-house app authentication method (token endpoint auth method)
- Click Get new access token to authenticate your app and get an access token (no refresh token for Client Credentials grant type).
- Now use this
access_token
to make your first request to Developer Platform. Remember the essence of an in-house app, thisaccess_token
can only access exactly the associated store. - This access_token will be expired after
expired_in
seconds. You can use the token until its expiry. - When an access_token is expired or revoked, any request with that token will result in 401 Unauthorized. You should rely on this 401 http status to request a new one.
Common mistakes
- Use wrong client authentication method: Each app is configured with 1 token endpoint authentication method, using the wrong one will make your app unrecognizable therefore unauthenticated at the token endpoint.
What’s next?
That’s merely a demo with no business value. You want to start coding and implement this part your own. Visit authentication to continue.
Great man!