AuthenticationIn order to call protected APIs, you must authenticate as a Trade Me member. Ultimately, this means you must obtain an OAuth access token for the member you wish to authenticate as. There are a few ways of obtaining this token:
- Use the access token generator form below. Use this method if you know the member's username and password. An access token will be generated immediately. Note: this method is intended for cases where you are trying to access your own account; please do not solicit passwords from members.
- Implement the OAuth redirection-based authorization process. Use this method if you don't know the member's credentials. An access token will be generated after you deliver your application to a user, and they approve access to their account. This process is designed to allow members to grant applications access to their Trade Me account without sharing their Trade Me username or password.
Generate an access token
Implementing the OAuth redirection-based authorization processThe basic steps to implement OAuth are as follows:
- Generate a temporary request token by making a request to this URL: https://api.trademe.co.nz/Oauth/RequestToken?scope=<scope>. The request should be a valid OAuth request (with a consumer key, a signature and optionally a callback, but without a token). The scope parameter is optional but if supplied must be a comma-separated list of these possible values: MyTradeMeRead, MyTradeMeWrite, BiddingAndBuying.
- Redirect the user to this URL: https://trademe.co.nz/Oauth/Authorize?oauth_token=<token> (or open the URL in a web browser if your app is native). The user is expected to log in and then grant access to their account. Once that is done, the user will either be redirected to a callback URL of your choosing, or a pin will be presented to the user which can be input by the user into your app.
- Swap your request token with a long-lived access token by making a request to this URL: https://api.trademe.co.nz/Oauth/AccessToken You will need to include the request token (which you obtained in step 1) and a verifier (which you can get from the redirect URL, or from the pin) among the OAuth parameters.
- Now you can use the access token to call protected APIs.