Access tokens

All Ecwid API requests require authentication. Ecwid supports oAuth2 protocol to provide applications with an easy way to authenticate with API keys, then access store data on behalf of the user with access tokens.

Access tokens

Access tokens are used in the authentication of all REST API requests. There are two types of access tokens in Ecwid: secret and public tokens. These tokens are often referred to as secret_token and public_token in the documentation and Control Panel.


Both types of access tokens do not expire, so you can use them as long as the application is installed in a merchant's store.

Ecwid user grants or denies access to certain data in their store for the particular application - then the application gets its own secure access token (and optional public token) upon authorization and uses that token as a key to make REST API calls to Ecwid.


To get secret or public access token, user would need to go through Ecwid oAuth app installation flow. Learn more – Get access token

Secret access token

Secret access token examples:

	"secret_token": "secret_uj8jGQ6aBfS8ZM9h2r8zMMyLQ7xCiuTR"

Secret access token provides access to Ecwid API to retrieve and change store data on behalf of the user who installed your application in their store.


Secret access token must not be visible/available in public (widget integration code, client-side JavaScript, etc.).

Secret token in REST API

With secret access token you can use any method within the access scope range that you requested from an Ecwid user on initial steps of oAuth process.

After the moment user installs your app, it can store that token securely in your database for that user. So it's not necessary to go through the standard oAuth flow each time you need to make a request to Ecwid API.

Public access token

Public access token example

	"public_token": "public_asdkjlsaASKDjaslkdASmndcasmrdgaSj"

Public token provides limited access to public store data via REST API interface. While private tokens allow you to modify something in a store, like update an order status or change stock levels, public tokens can only get limited information from a store and create orders with limitations.


Public token will be available only if your app requests public_storefront access scope from a merchant.

Retrieve public token in any part of your application:

  • Native app interface
  • Storefront
  • External app

With public access token you can use several REST API endpoints from anywhere (client-side JavaScript, widget integration codes, etc.).

Public token in REST API

Here's what you can do with public access token:

  • Get limited data from store profile
  • Search enabled products
  • Get enabled product details
  • Search enabled categories
  • Get enabled category details
  • Get available variations of an enabled product
  • Search visible product types
  • Get visible product type details
  • Get dictionaries
  • Create new orders (limited statuses, requires additional scope)


These methods are available for public token regardless of the other access scope your requested from a store – you only need the public_storefront scope to use them.