Website logo

Authentication

In order to call protected APIs, you must authenticate as a Trade Me member. Ultimately, this means you must obtain an OAuth access token for the member you wish to authenticate as. There are a few ways of obtaining this token:

Generate an access token

If you have registered an application, you can generate an OAuth token using the following form. This doesn't negate the need to implement OAuth (since you still need that to make requests) but if you are the only user of your app, then you can skip implementing the authentication steps. Enter your consumer key and secret below to start.
Environment:
Consumer Key:
Consumer Secret:
Permissions:
Your token will appear below once the process is complete.

OAuth Token:
OAuth Token Secret:

Implementing the OAuth redirection-based authorization process

The basic steps to implement OAuth are as follows:
  1. Generate a temporary request token by making a request to this URL: https://secure.trademe.co.nz/Oauth/RequestToken?scope=<scope>. The request should be a valid OAuth request (with a consumer key, a signature and optionally a callback, but without a token). The scope parameter is optional but if supplied must be a comma-separated list of these possible values: MyTradeMeRead, MyTradeMeWrite, BiddingAndBuying.
  2. Redirect the user to this URL: https://secure.trademe.co.nz/Oauth/Authorize?oauth_token=<token> (or open the URL in a web browser if your app is native). The user is expected to log in and then grant access to their account. Once that is done, the user will either be redirected to a callback URL of your choosing, or a pin will be presented to the user which can be input by the user into your app.
  3. Swap your request token with a long-lived access token by making a request to this URL: https://secure.trademe.co.nz/Oauth/AccessToken You will need to include the request token (which you obtained in step 1) and a verifier (which you can get from the redirect URL, or from the pin) among the OAuth parameters.
  4. Now you can use the access token to call protected APIs.
A more detailed walkthrough is available: example OAuth flow.

How long do access tokens last?

Our current policy is that access tokens are deleted if they are not used for at least six months. Access tokens can also be deleted by the member who approved the creation of the token, at any time, by going to the My Applications page in My Trade Me. Tokens can also be deleted by a Trade Me administrator or by a user changing their password. If you attempt to use an OAuth token after it has been deleted then you will get a HTTP 401 error.