Setting up OAuth
Updated over a week ago uses OAuth to let App Developers access its API. This system helps App Developers get permission from stores to create Apps using an API token. This way, you can make secure requests to's API based on how stores behave.

In this guide, we'll show you how to set up OAuth in step by step.


  • We strongly recommend using OAuth for enhanced security during integration.

  • Request access only to the essential data to ensure proper verification and official promotion of your integration.

Step 1: Create an app in

  • Visit and input your email address to log in as a reviewer.

  • will send a "magic link" to your email. Follow the link to proceed with the login process.

App Name: Your app name

Redirect URI: The endpoint to receive authorization confirmation with the authorization code from API (e.g.,

Logo URL: Direct link to your app's logo

Link to: Link to your app's homepage

After creating your app, click the "edit" icon to find the Client ID and Secret. You'll use these for authorization and getting an access token later on.

Step 2: Identify the scopes

  • Scopes define what your app can access, and stores control these permissions.

  • Request only the scopes you need for a higher chance of approval.

  • Here's a list of the API scopes; make sure to use the correct names:

Default scopes


Optional scopes

read_shops, write_shops,


read_orders, write_orders,

read_products, write_products,

read_reviewers, write_reviewers,

read_reviews, write_reviews,

read_settings, write_settings

Step 3: Build the authorization URL to redirect stores to

  • OAuth follows the OAuth 2.0 standard.

  • You can refer to any OAuth 2.0 guide for reference.

  • Construct an authorization URL to redirect stores to

  • This URL includes parameters identifying your app and defining the permissions (scopes) requested from the stores.

When stores click the authorization URL, your app redirects them to The URL loads the OAuth grant screen, requesting stores to authorize the specified scopes.

Authorization URL format


Example of a real authorization URL


Parameters in the authorization URL


Every connected app is identified by a client_id. You can find this value when editing your app in


redirect_uri is the endpoint that will use to send authorization confirmation with the authorization code back to your app server.


scope is the list of permissions that your app requests the stores to approve.


response_type will be set to code, indicating that the application expects to receive an authorization code if successful.

state (optional)

You can send a random value as state when starting the authorization request and use it to validate the authorization code when receiving a response from

Example of a callback from with an authorization code to your app

Started GET ""

Step 4: Exchange for a permanent access token

Next, exchange the authorization code for a permanent access token, allowing API calls within defined scopes. For this exchange, you'll need:

  • client_id (from step 1)

  • client_secret (from step 1)

  • code (from step 3)

  • redirect_uri (link to your app server)

The client_id and client_secret are what you have got from step 1 when creating an app. The code is what you get from step 3. The redirect_uri is the link to your app server.

curl --location --request POST '' \--header 'Content-Type: application/json' \--data-raw '{ "client_id": "7ce4d77492c0ab540885601378e7442415b14e48b9865ab1bf5a9d548fa8eba8", "client_secret": "5f62a03e9ff7349b57aaade0b8d78f7603256bd97a347f6949424c1ade4383a2", "code": "32279746ee4db4312ca49ae627f043fbc3680f605c3603170e5a875f7afe2b1c", "redirect_uri": "", "state": "9f1c39b9a714771ccb331fb5742a57453fae7173a26329d0", "grant_type": "authorization_code"}'

An Illustration of a Response:

{ "access_token": "39452ed283252c8ea2083faa9b371cc77e82c22471da921b8cd6db935e4ee37a", "token_type": "Bearer", "scope": "read_products write_products public", "created_at": 1646287086}

Upon getting this access token, you gain the ability to invoke pertinent APIs within the platform:

curl --location --request GET '' \--header 'Content-Type: application/json' \--data-raw '{"api_token": "39452ed283252c8ea2083faa9b371cc77e82c22471da921b8cd6db935e4ee37a"}'

When you use APIs within your allowed scope, you can get the data you need. For example, if your scope includes the "read_products" API, you can get product information.

On the other hand, if you try to use APIs not in your scope, you'll get an error. For instance, if "read_reviews" isn't in your scope and you try to use it, you'll see an error message saying, "You can't access this resource."

If you need help setting up OAuth, contact our team at [email protected]. We're available to help 24/7!

Did this answer your question?