# OAuth for public apps: GET request type changed to POST {% hint style="danger" %} **Breaking changes!**\ Сhanges listed below may break some apps' logic. {% endhint %} #### What's new oAuth mechanism for public apps got enhanced security: now the request that exchanges temporary code for the access token requires POST request type with params send as request body. {% content-ref url="/spaces/uOzT5egoVTAjMJwRuMQT/pages/AFVM0V8oFIdw8c7C5bft" %} [Native and external apps](/launch-apps/native-and-external-apps.md) {% endcontent-ref %} #### Changes in API From now on, the authentication process requires a POST request for the `code` exchange. Request must call `https://my.ecwid.com/api/oauth/token` with a URL-encoded request body. All params in the request body are **required** and encoded with the `Content-Type: application/x-www-form-urlencoded` header. {% code overflow="wrap" %} ```http POST /api/oauth/token HTTP/1.1 Host: my.ecwid.com Content-Type: application/x-www-form-urlencoded client_id={client_id}&client_secret={client_secret}&code={code}&redirect_uri={redirect_uri}&grant_type=authorization_code ``` {% endcode %} where: * `{code}` – is the temporary `code` value received in the previous step (when users click the "Install app" button in Ecwid admin). * `{client_id}` – is the `client_id` value for your app. * `{client_secret}` – is the `client_secret` value for your app. * `{redirect_uri}` – is the `redirect_url` value for your app. #### Why the changes are breaking Previously it was possible to get an OAuth token with a GET request type where `client_secret` and `client_id` were exposed as query params. This way is now deprecated and no longer works for any apps. So if you intend to have new installations for your app (for example, if it's a public app or an app available on the reseller partner's channel), you need to update to a new authorization flow. #### How to update the app 1. Check if your app works with Ecwid OAuth for receiving access tokens. \ \ For example, if it's a so-called external app with user's dashboard hosted on your side. Such apps always require OAuth to be installed in Ecwid stores. 2. Update your app code with the new authorization flow: the `code` must be exchanged through a POST request with URL-encoded body params now. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ecwid.com/changelog/march-2025/march-20/oauth-for-public-apps-get-request-type-changed-to-post.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.