Apps installed from the Ecwid App Market

Native apps

Native applications work in a separate tab in Ecwid Control Panel. After users install an application, Ecwid redirects them to the new tab. At the same time, iframeUrl of the app receives a request with an encoded 'payload' parameter. Payload must be decoded to get an access token, store ID, and language, which are used to interact with the store on behalf of the user. Find details on the flow here: Authentication in native apps

See native apps documentation to start working on the application.

External apps

Retrieving an access token for external apps includes the following steps:

  1. When users install the app, Ecwid redirects them to the redirectUrl with an additional temporary code parameter. Reach out to us at [email protected] to set or change it for your app.
  2. Your code exchanges temporary code for an access token from Ecwid in the background. This token can be used in REST API calls.


User needs to go through all these steps only once in order for your app to get and store access token for that user. Token will be used in any call you make to Ecwid API on behalf of the user.

1. Merchant is redirected

redirectUrl example:

# Successfull authorization

Upon successful installation, Ecwid redirects the user to the application's redirectUrl (redirect_uri parameter) with an additional code parameter in the URL (reach out to us at [email protected] to set or change it). The value of this parameter is not an actual token for the store and it must be exchanged for the token in the next step of the process.

redirectUrl parameters:

codeIn case of successful authorization, the query contains the code parameter. That is a temporary code that should be exchanged for an access token by your app. This code can be used only once and 'lives' for a few minutes so your app should request the token as soon as it gets the code. See step #2 for the details.
errorIf user authorization fails, query parameters indicate the user canceled authorization in error message

2. Get access token

Request example:


client_idrequiredApplication ID
client_secretrequiredApplication secret key
coderequiredThe temporary code received on the step #1
redirect_urirequiredredirectUrl of your application. Reach out to us at [email protected] to set or change it
grant_typerequiredAlways must be authorization_code

Response example:

 "scope":"read_store_profile update_catalog",

Ecwid responds with JSON-formatted data containing the access token and additional information. Response fields are listed below:

access_tokenSecret access token (secret_token). Your app will use it to access Ecwid REST API on behalf of the user.
token_typeAlways bearer
scopeList of permissions (API access scopes) given to the app, separated by space. See all possible values in Access scopes
store_idEcwid store ID (a unique Ecwid account identification)
public_tokenAccess tokens. Provided if requested access scopes contain public_storefront scope.


For security reasons, a temporary code can be exchanged to an access token only once. In case of second attempt, the previously provided access token is automatically disabled.