New VeriSign Certificate for Open eBay: March 1, 2011

For Open eBay app developers: on March 1, 2011, we will update the VeriSign certificate at

Make sure your Open eBay apps switch to using the new certificate to verify subscription calls from eBay. You can find instructions here:

February 23, 2011 in Authentication & Authorization, Developer Community, Open eBay | Permalink

Coming Soon: New VeriSign Certificate for Open eBay Apps

Attention Open eBay developers: the VeriSign certificate used for subscription calls between Open eBay and your application will expire in early March.

Before that happens, the Open eBay team will publish a new certificate for your application to use, and instructions for its use, here:

Watch this space for updates, and if you have any questions, please file a support ticket:


-Open eBay team

February 9, 2011 in Authentication & Authorization, Developer Community, Open eBay, Product News | Permalink

New in the Trading API Docs: A Short Tutorial about Getting Tokens

A new tutorial shows a simple case of an application getting a token for a subscribing user. It includes the setup of the consent flow, the user's view of the consent form, and the calls the application makes to get the token.

Please check out the tutorial and tell us what you think of this new format. Would you like to see more API workflow tutorials? What tasks/workflows would you like us to document? Use the "User-Contributed Notes" section at the bottom of each tutorial to give us your feedback.

November 15, 2010 in Authentication & Authorization, Documentation, Trading API | Permalink

See you at DevCon!

DevCon2My name is Sarika and I am a Developer Technical Support Engineer at eBay. Here at eBay, I work with third party developers to provide consultation and best practice recommendations about the eBay APIs.

I am getting ready for DevCon and really excited to be a part of it. Have you registered for DevCon yet? If you haven't, I would highly recommend you do. DevCon is your chance to meet and interact with folks at eBay (execs, developers, product managers..) and to hear some awesome keynotes from industry leaders.

If you are an API newbie, I would recommend you sign up for the pre-conference workshop - eBay API Jumpstart. This hands-on workshop will cover the basic concepts of the eBay Platform and get you familiarized with some of our popular APIs. At the end of the workshop, you will be API ready and all set to code your first app!

See you there! 

May 21, 2010 in Authentication & Authorization, Developers Conference | Permalink

Updates to User Token Retrieval Flow, and New Application Settings Tool (Beta)

Update (8/14/2008): We've noticed a glitch with a couple of the new features in the Application Settings tool. Well, it IS a beta. We have temporarily disabled the ability to rename your keysets, and to add a custom logo and URL via the tool. You can still make those updates via the API. See this system announcement for information on this workaround, and status on the issue. We hope to have a fix in next week. We're sorry for any inconvenience!

We've made several improvements to the User Token retrieval process, and made it even easier for developers to configure and maintain their application-level settings. New features of the token retrieval process include:

  • A new Application Settings Tool (Beta) is now available on for developers to view their stored user token, manage application-level Platform Notification and Client Notification settings, and customize the User Consent Page. Here's an example of a customized User Consent page:
  • Customized User Consent Form

    Please try out the new tool at (requires login).

  • Enhanced User Consent Page: There is a new way to set up the user consent flow for your application, and set other application-level settings.
  • The old user consent setup process involved making an RuName for your application using the SetRuName call, and then calling SetReturnURL to establish other application authentication settings. With the new Application Settings Tool, you set up your user consent flow by filling out a simple form.

    The tool also lets you add your application logo and a URL to your User Consent Page, so users can learn more about your application.This improvement makes the User Consent Page more friendly to new users, helps reinforce your brand, and provides a way for users to find  more information about the application they are authorizing. 

    For more information, please see

  • eBay UserID Verification Option: An ID Verification option has been added to the User Consent flow, for applications that only need to confirm an eBay member's UserID.  This option is supported at the RuName level, and allows an application to confirm an eBay member's UserID by taking the user through the standard User Consent Flow [also known as the Auth & Auth flow].  The application can use the new ConfirmIdentity call to verify the member's UserID that was provided at login time. 
  • For more information, please see

We look forward to hear your feedback regarding this tool and will appreciate the suggestions and input.You could send your valuable feedback to

August 11, 2008 in Authentication & Authorization, Developer Website, Product News | Permalink

Identity Confirmation and User Tokens

We previously posted about Trusted Selling with Identity Confirmation. In certain cases, eBay will be requiring sellers to verify their identity by initiating an automated phone call to their registered phone number. If unable to do so, sellers can also contact Live Help for identity confirmation.

Developer Impact:
I have gotten some additional clarification about how this impacts developers. eBay sellers who list using 3rd party tools will not get identity checks when listing with these tools. They will, however, go through identity checks when they grant consent for the tool to list items on their behalf (i.e., when a new user token is generated).

If the eBay member is granting consent from an unrecognized computer, they may initiate an automated phone call from eBay to their registered phone number with a PIN number. That PIN number should be entered in the next screen.

Developers should be prepared for these identity checks when a user token has expired (and consent must be granted again), or when signing up a new customer (and consent is given for the first time). It's a good idea to prepare the eBay member for what they will experience, and to make sure they have a current phone number on file with eBay or add a mobile phone number as a secondary phone number.

This applies ONLY to developers who manage user tokens.

June 4, 2008 in Authentication & Authorization, Product News | Permalink

No Change to Auth & Auth for Identity Confirmation

Last week, you heard from John Canfield about Trusted Selling with Identity Confirmation. In certain cases, eBay will now be requiring people to enter a PIN received over the phone when they sign in to eBay.

Developer Impact:
Developers will not be required to make any changes to their applications as a result of this new process. If your application requires use of the Auth & Auth sign in process, when necessary, we will handle the PIN confirmation for you, before providing you with a token.

April 18, 2008 in Authentication & Authorization, Business News | Permalink

Auth & Auth Tokens: Upcoming 18-month Expiration

Authentication & Authorization (Auth & Auth) tokens have an 18-month maximum life before they expire and become invalid. To re-validate the token, users must be prompted to go through your application's Auth & Auth flow again.

eBay introduced Auth & Auth in April 2004. Developers of applications where users have not been prompted to authenticate since April 2004 will be impacted. Users of these applications will begin to encounter expired Auth & Auth tokens beginning in October 2005.

Developer Impact: In order to prevent a disruption of service, please make sure your application correctly handles expired tokens and sends the seller back through Auth & Auth to re-validate the token. You may wish to proactively check the expiration date of your tokens, and let affected users know when their token will expire. These users can then complete the Auth & Auth process before they are confronted with an invalidated Auth & Auth token.

For more information on Auth & Auth, please consult the eBay Web Services documentation.

September 13, 2005 in Authentication & Authorization, Critical Notes from Tech Support, Documentation | Permalink

Auth/Auth Redirect URL Change

This week eBay made a minor change to the URL used for third-party authentication and authorization ("auth & auth"). eBay API applications should continue to function normally with no change, since the current URL will continue to function for an indefinite period of time (the old URL will redirect to the new URL).

Currently, authentication URLs that begin with this string:
or this string:
will now begin with this string:

Although this is not a breaking change, for efficiency, developers should update their code to use the new URL.

August 11, 2004 in Authentication & Authorization | Permalink | Comments (3)

Reminder: Authentication and Authorization

Remember, July 1, 2004 is the final date to update your application to use Auth & Auth. If you don't make this change, your application will break. For further details, click here.

June 14, 2004 in Authentication & Authorization | Permalink | Comments (0)