Store ID is now required for external apps' authentication

What's new

A small addition to the authentication flow for external apps. When a user installs the app, you now receive not only the temporary code, but also the store ID on your server. And to obtain the access token for that store, you need to pass both the code and store ID in the following POST request.

Changes in API

Before the change, incoming token requests looked like:

https://www.example.com/myapp?code=abcd123456

where:

• https://www.example.com/myapp is the redirectUrl

• abcd123456 is the code

Now incoming requests have an additional parameter:

https://www.example.com/myapp?code=abcd123456&store_id=1003 

where:

• 1003 is the store ID from which the installation was triggered

And here is how your following request for the access token should look:

POST /api/oauth/token/{store_id} HTTP/1.1
Host: my.ecwid.com
Content-Type: application/x-www-form-urlencoded

client_id={client_id}&client_secret={client_secret}&code={code}&redirect_uri={redirect_uri}&grant_type=authorization_code

The only change here is the new {store_id} param passed in the request path.

Timeline

For now, we support both the old and the new flows for external apps' authentication. We recommend updating your applications now.

The old flow will be disabled in ~5-6 months. However, we'll monitor non-updated apps and notify developers before shutdown.

How to update the app

1. Check if your app is an external app. External applications handle the authentication process (when users install the app) on their side and have a redirectUrl specified in the app dashboard.

2. Make sure your redirectUrl parses both code and store_id query params from incoming requests.

3. Add /{store_id} path param to the follow-up call. So it looks like POST /api/oauth/token/{store_id} instead of POST /api/oauth/token