# Store ID is now required for external apps' authentication

{% hint style="danger" %}
**Breaking changes!**\
When released, the changes listed below will break some apps' logic. Please update your apps to ensure they are ready for the change.
{% endhint %}

#### What's new

A small addition to the authentication flow for external apps. When a user installs the app, you now receive not only the **temporary code**, but also the **store ID** on your server. And to obtain the access token for that store, you need to pass both the **code** and **store ID** in the following <mark style="color:blue;">`POST`</mark> request.

{% content-ref url="/spaces/uOzT5egoVTAjMJwRuMQT/pages/AFVM0V8oFIdw8c7C5bft" %}
[Native and external apps](/launch-apps/native-and-external-apps.md)
{% endcontent-ref %}

#### Changes in API

Before the change, incoming token requests looked like:

```
https://www.example.com/myapp?code=abcd123456
```

where:

* `https://www.example.com/myapp`  is the **redirectUrl**
* `abcd123456`  is the **code**

Now incoming requests have an additional parameter:

```
https://www.example.com/myapp?code=abcd123456&store_id=1003 
```

where:

* `1003` is the store ID from which the installation was triggered

And here is how your following request for the access token should look:

```http
POST /api/oauth/token/{store_id} HTTP/1.1
Host: my.ecwid.com
Content-Type: application/x-www-form-urlencoded

client_id={client_id}&client_secret={client_secret}&code={code}&redirect_uri={redirect_uri}&grant_type=authorization_code
```

The only change here is the new **{store\_id} param** passed in the request path.

#### Timeline

For now, we support both the old and the new flows for external apps' authentication. We recommend updating your applications now.

The old flow will be disabled **in \~5-6 months**. However, we'll monitor non-updated apps and notify developers before shutdown.

#### How to update the app

1. Check if your app is an external app. External applications handle the authentication process (when users install the app) on their side and have a **redirectUrl** specified in the app dashboard.
2. Make sure your **redirectUrl** parses both `code` and `store_id` query params from incoming requests.
3. Add `/{store_id}` path param to the follow-up call.\
   So it looks like <mark style="color:blue;">`POST`</mark> `/api/oauth/token/{store_id}` \
   instead of <mark style="color:blue;">`POST`</mark> `/api/oauth/token`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.ecwid.com/changelog/september-2025/september-19/store-id-is-now-required-for-external-apps-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.