OAuth for public apps: GET request type changed to POST

What's new

oAuth mechanism for public apps got enhanced security: now the request that exchanges temporary code for the access token requires POST request type with params send as request body.

Changes in API

From now on, the authentication process requires a POST request for the code exchange.

Request must call https://my.ecwid.com/api/oauth/token with a URL-encoded request body. All params in the request body are required and encoded with the Content-Type: application/x-www-form-urlencoded header.

POST /api/oauth/token HTTP/1.1
Host: my.ecwid.com
Content-Type: application/x-www-form-urlencoded

client_id={client_id}&client_secret={client_secret}&code={code}&redirect_uri={redirect_uri}&grant_type=authorization_code

where:

• {code} – is the temporary code value received in the previous step (when users click the "Install app" button in Ecwid admin).

• {client_id} – is the client_id value for your app.

• {client_secret} – is the client_secret value for your app.

• {redirect_uri} – is the redirect_url value for your app.

Why the changes are breaking

Previously it was possible to get an OAuth token with a GET request type where client_secret and client_id were exposed as query params. This way is now deprecated and no longer works for any apps.

So if you intend to have new installations for your app (for example, if it's a public app or an app available on the reseller partner's channel), you need to update to a new authorization flow.

How to update the app

1. Check if your app works with Ecwid OAuth for receiving access tokens. For example, if it's a so-called external app with user's dashboard hosted on your side. Such apps always require OAuth to be installed in Ecwid stores.

2. Update your app code with the new authorization flow: the code must be exchanged through a POST request with URL-encoded body params now.