Native apps
Get access token in native apps
var storeData = EcwidApp.getPayload();
var storeId = storeData.store_id;
var accessToken = storeData.access_token;
// Use accessToken and storeId variables to make requests to Ecwid REST API
// ...
Native applications work in a separate tab in Ecwid Control Panel. After user installs an application, Ecwid will redirect user to the new tab. In that tab, your application can interact with the store on behalf of the user.
To get access token and start making requests to Ecwid API, use Ecwid JS SDK and a couple of Javascript lines of code - see example on the right.
See native apps documentation and start working on your application.
External apps
Retrieving an access token for external apps includes the following steps:
- User installs application, Ecwid redirects the user to the return URL. Reach out to us at [email protected] to set or change it for your app.
- Your code requests an access token from Ecwid in the background. This access_token will be used as API key in all API calls.
User needs to go through all these steps only once in order for your app to get and store access token for that user. This token will be used in any call you make to Ecwid API on behalf of the user.
1. Merchant is redirected
Return URL example:
# Successfull authorization
https://www.example.com/myapp?code=1234567890
Upon successful installation, Ecwid redirects the user to the application's redirect_uri with a code parameter in the URL (reach out to us at [email protected] to set or change it). The value of this parameter is not an actual token for the store and it must be exchanged for the token in the next step of the process.
Return URL parameters:
| Parameter | Description |
|---|---|
| code | If the user successfully authorizes the application, the query will contain the code parameter. That is a temporary code that your app should exchange to an access token. This code can be used only once and 'lives' for a few minutes so your app should request the token as soon as it gets the code. See step #2 for the details. |
| error | If the user does not allow authorization to the application, query parameters indicate the user canceled authorization in error field |
2. Get access token
Request example:
https://my.ecwid.com/api/oauth/token?client_id=abcd0123&client_secret=01234567890abcdefg&code=987654321hgfdsa&redirect_uri=https%3A%2F%2Fwww%2Eexample%2Ecom%2Fmyapp&grant_type=authorization_code
GET https://my.ecwid.com/api/oauth/token?client_id={client_id}&client_secret={client_secret}&code={code}&redirect_uri={redirect_uri}&grant_type=authorization_code
| Parameter | Required | Description |
|---|---|---|
| client_id | required | Application ID |
| client_secret | required | Application secret key |
| code | required | The temporary code received on the step #1 |
| redirect_uri | required | Redirect URL of your application. Reach out to us at [email protected] to set or change it |
| grant_type | required | Must be authorization_code |
Response example:
{
"access_token":"secure_123453lasdADSKasasdjasdklasASkmns",
"token_type":"bearer",
"scope":"read_store_profile update_catalog",
"store_id":1003,
"public_token":"public_qKDUqKkNXzcj9DejkMUqEkYLq2E6BXM9"
}
Ecwid responds with a JSON-formatted data containing the access token and additional information. The response fields are listed below:
| Field | Description |
|---|---|
| access_token | Private authorization token. This is a key your app will use to access Ecwid API on behalf of the user. |
| token_type | bearer (it's always bearer) |
| scope | List of permissions (API access scopes) given to the app, separated by space. See all possible values in Access scopes |
| store_id | Ecwid store ID (a unique Ecwid account identificator) |
| public_token | Access tokens. Provided if requested access scopes contain public_storefront scope. |
For security reasons, a temporary code can be exchanged to an access token only once. In case of second attempt, the previously provided access token is automatically disabled.