Apps installed from the Ecwid App Market

Native apps

Get access token in native apps

var storeData = EcwidApp.getPayload();

var storeId = storeData.store_id;
var accessToken = storeData.access_token;

// Use accessToken and storeId variables to make requests to Ecwid REST API
// ...

Native applications work in a separate tab in Ecwid Control Panel. After user installs an application, Ecwid will redirect user to the new tab. In that tab, your application can interact with the store on behalf of the user.

To get access token and start making requests to Ecwid API, use Ecwid JS SDK and a couple of Javascript lines of code - see example on the right.

See native apps documentation and start working on your application.

External apps

Retrieving an access token for external apps includes the following steps:

  1. User installs application, Ecwid redirects the user to the return URL. Reach out to us at [email protected] to set or change it for your app.
  2. Your code requests an access token from Ecwid in the background. This access_token will be used as API key in all API calls.


User needs to go through all these steps only once in order for your app to get and store access token for that user. This token will be used in any call you make to Ecwid API on behalf of the user.

1. Merchant is redirected

Return URL example:

# Successfull authorization

Upon successful installation, Ecwid redirects the user to the application's redirect_uri with a code parameter in the URL (reach out to us at [email protected] to set or change it). The value of this parameter is not an actual token for the store and it must be exchanged for the token in the next step of the process.

Return URL parameters:

codeIf the user successfully authorizes the application, the query will contain the code parameter. That is a temporary code that your app should exchange to an access token. This code can be used only once and 'lives' for a few minutes so your app should request the token as soon as it gets the code. See step #2 for the details.
errorIf the user does not allow authorization to the application, query parameters indicate the user canceled authorization in error field

2. Get access token

Request example:


client_idrequiredApplication ID
client_secretrequiredApplication secret key
coderequiredThe temporary code received on the step #1
redirect_urirequiredRedirect URL of your application. Reach out to us at [email protected] to set or change it
grant_typerequiredMust be authorization_code

Response example:

 "scope":"read_store_profile update_catalog",

Ecwid responds with a JSON-formatted data containing the access token and additional information. The response fields are listed below:

access_tokenPrivate authorization token. This is a key your app will use to access Ecwid API on behalf of the user.
token_typebearer (it's always bearer)
scopeList of permissions (API access scopes) given to the app, separated by space. See all possible values in Access scopes
store_idEcwid store ID (a unique Ecwid account identificator)
public_tokenAccess tokens. Provided if requested access scopes contain public_storefront scope.


For security reasons, a temporary code can be exchanged to an access token only once. In case of second attempt, the previously provided access token is automatically disabled.