Store ID is now required for external apps' authentication
Breaking changes! When released, the changes listed below will break some apps' logic. Please update your apps to ensure they are ready for the change.
What's new
A small addition to the authentication flow for external apps. When a user installs the app, you now receive not only the temporary code, but also the store ID on your server. And to obtain the access token for that store, you need to pass both the code and store ID in the following POST
request.
Changes in API
Before the change, incoming token requests looked like:
https://www.example.com/myapp?code=abcd123456
where:
https://www.example.com/myapp
is the redirectUrlabcd123456
is the code
Now incoming requests have an additional parameter:
https://www.example.com/myapp?code=abcd123456&store_id=1003
where:
1003
is the store ID from which the installation was triggered
And here is how your following request for the access token should look:
POST /api/oauth/token/{store_id} HTTP/1.1
Host: my.ecwid.com
Content-Type: application/x-www-form-urlencoded
client_id={client_id}&client_secret={client_secret}&code={code}&redirect_uri={redirect_uri}&grant_type=authorization_code
The only change here is the new {store_id} param passed in the request path.
Timeline
For now, we support both the old and the new flows for external apps' authentication. We recommend updating your applications now.
The old flow will be disabled in ~5-6 months. However, we'll monitor non-updated apps and notify developers before shutdown.
How to update the app
Check if your app is an external app. External applications handle the authentication process (when users install the app) on their side and have a redirectUrl specified in the app dashboard.
Make sure your redirectUrl parses both
code
andstore_id
query params from incoming requests.Add
/{store_id}
path param to the follow-up call. So it looks likePOST
/api/oauth/token/{store_id}
instead ofPOST
/api/oauth/token
Last updated
Was this helpful?