Website logo

2016 Callback Changes

On 5 September 2016 we changed how callbacks work on the Trade Me API to make things more secure and flexible for apps. Below is a note of the changes that were made, so if you're firing up an old app and having problems with callbacks, this may help with your troubleshooting.

Callback Changes:

This page is designed to help you understand what (if anything) you need to change on your application before 5 September 2016 to ensure it continues to work correctly.

Please read through this information carefully, apply the appropriate changes if required, and test your application before 5 September 2016. If you have any questions please contact us at api@trademe.co.nz

Your existing callback that's registered against your application on Trade Me will now be referred to as your "default callback". You can now also register domains that will allow any callback to that domain, these are referred to as "callback domains". If you are a Client application as opposed to a Browser application then you will only need to use "oob" as your oauth_callback.

Make sure your default callback is a valid URL in your application, as we will redirect here if you don’t provide an oauth_callback in your authorization header. Check out the first table below to find out whether you need to do anything. To edit your application head over to Developer Options on your My Trade Me page.

All callback URLs must be HTTPS, this will be enforced if you add any callback domains to your application immediately. If you don’t add any callback domains to your application (or you don’t need to), from 5 September 2016 we will enforce HTTPS for all callbacks. Your application will break if you don’t request HTTPS in your oauth_callback or if your default callback it not HTTPS.

Work out if you need to do anything as an existing consumer:

Where you redirect to Existing Default callback Actions required
HTTP* N/A You MUST change your callback to be HTTPS
Out Of Band (OOB - no redirect) OOB (a client application) N/A
https://abc.com/callback OOB (a client application) Change your default callback to https://abc.com/callback
https://abc.com/callback, AND OOB sometimes OOB (a client application) Change your default callback to https://abc.com/callback OOB will always be allowed if requested in oauth_callback in the Authorization header.
https://abc.com/callback, https://abc.com/personal/callback, AND OOB sometimes OOB (a client application) If you are happy with OOB being the default when no oauth_callback is present in the Authorization header then leave the default as OOB, otherwise change it to the full path of your preferred default. Add a callback domain: https://abc.com
https://abc.com/callback https://abc.com/callback (a browser application) N/A
https://abc.com/callback https://xyz.com/callback (a browser application) Change your default callback to https://abc.com/callback
https://abc.com/callback, https://xyz.com/callback https://abc.com/callback (a browser application) Leave your default callback if you are happy with that being used if you do not include an oauth_callback parameter in your request. Add a callback domain: https://xyz.com If you want to redirect to many paths on https://abc.com then add that to your callback domains too
https://abc.com/personal/callback, https://abc.com/business/callback https://abc.com/personal/callback (a browser application) Leave your default callback if you are happy with that being used if you do not include an oauth_callback parameter in your request. Add a callback domain: https://abc.com
https://abc.com/personal/callback, https://abc.com/business/callback, https://xyz.com/callback, https://xyz.com/callback/1234-5678 https://abc.com/business/callback (a browser application) Leave your default callback if you are happy with that being used if you do not include an oauth_callback parameter in your request. Add https://abc.com/ and https://xyz.com as callback domains

General Information about Callbacks

Where you redirect to Default callback Callback Domains Notes
OOB (no redirect) OOB (a client application) N/A
https://abc.com/callback https://abc.com/callback N/A
https://abc.com/callback, AND OOB sometimes https://abc.com/callback N/A
https://abc.com/callback, https://abc.com/personal/callback, AND OOB sometimes https://abc.com/callback OR OOB Add a callback domain: https://abc.com If you are happy with OOB being the default when no oauth_callback is present in the Authorization header set the default to OOB, otherwise set it to the full path of your preferred default. (e.g https://abc.com/callback)
https://abc.com/callback , https://xyz.com/callback https://abc.com/callback OR https://xyz.com/callback e.g https://abc.com/callback https://abc.com OR https://xyz.com e.g https://xyz.com Select which of the two URLs are you preferred default when no oauth_header is passed. Set one callback domain to the other URL’s domain
https://abc.com/personal/callback, https://abc.com/business/callback https://abc.com/personal/callback OR https://abc.com/business/callback https://abc.com Select which of the two URLs are your preferred default when no oauth_header is passed.
https://abc.com/personal/callback, https://abc.com/business/callback, https://xyz.com/callback, https://xyz.com/callback/1234-5678 https://abc.com/personal/callback OR https://abc.com/business/callback, OR https://xyz.com/callback OR https://xyz.com/callback/1234-5678 https://abc.com, https://xyz.com Select which of the two URLs are your preferred default when no oauth_header is passed.