Security

Before a user on the eBay site can perform any operation of significance (e.g., list an item, bid on an item, etc.,) that user must log in to the site using an eBay user name and a password. Similarly, for the user of an application to make an API call, it must be determined that application end-user is authorized to do so. Making this determination is called authentication. On the eBay site, authentication is accomplished by the user signing in. When an application is acting on a user's behalf, authentication is accomplished by the application passing authenticating data in the API call's request. eBay uses the user authentication data passed with the call's request to identify the requesting user and authenticate the user before performing the requested action.

For many API calls — as is the case with many user activities on the eBay site — this user authentication is merely a verification that the user is a registered eBay user. For instance, anyone who is a registered user may retrieve and view item data with GetSellerList. However, some operations require that the user in question is also verified to be a particular user. For example, only an item's seller is authorized to re-list a particular item. So authentication for an item re-list operation using RelistItem both verifies that the requester is a registered eBay user and is the item's seller.

There are two types of authentication data that an application may pass to eBay in a call's request:

• A user's authentication token

• The pairing of a user's session ID and the full keyset of your developer credentials

  Important! This combination is required only when issuing a FetchToken call to obtain the user's authentication token initially.

  The full set of developer keys is also required for the GetTokenStatus, RevokeToken, and GetSessionID API calls.

For additional information about authenticating calls, refer to:

• Authenticating XML API calls
• Authenticating SOAP API calls