2016 Callback Changes
On 5 September 2016 we changed how callbacks work on the Trade Me API to make things more secure and flexible for apps. Below is a note of the changes that were made, so if you're firing up an old app and having problems with callbacks, this may help with your troubleshooting.
Callback Changes:
This page is designed to help you understand what (if anything) you need to change on your application before 5 September 2016 to ensure it continues to work correctly.
Please read through this information carefully, apply the appropriate changes if required, and test your application before 5 September 2016. If you have any questions please contact us at api@trademe.co.nz
Your existing callback that's registered against your application on Trade Me will now be referred to as your "default callback". You can now also register domains that will allow any callback to that domain, these are referred to as "callback domains". If you are a Client application as opposed to a Browser application then you will only need to use "oob" as your oauth_callback.
Make sure your default callback is a valid URL in your application, as we will redirect here if you don’t provide an oauth_callback in your authorization header. Check out the first table below to find out whether you need to do anything. To edit your application head over to Developer Options on your My Trade Me page.
All callback URLs must be HTTPS, this will be enforced if you add any callback domains to your application immediately. If you don’t add any callback domains to your application (or you don’t need to), from 5 September 2016 we will enforce HTTPS for all callbacks. Your application will break if you don’t request HTTPS in your oauth_callback or if your default callback it not HTTPS.
Work out if you need to do anything as an existing consumer:
| Where you redirect to | Existing Default callback | Actions required |
| HTTP* | N/A | You MUST change your callback to be HTTPS |
| Out Of Band (OOB - no redirect) | OOB (a client application) | N/A |
| https://abc.com/callback | OOB (a client application) | Change your default callback to https://abc.com/callback |
| https://abc.com/callback, AND OOB sometimes | OOB (a client application) | Change your default callback to https://abc.com/callback OOB will always be allowed if requested in oauth_callback in the Authorization header. |
| https://abc.com/callback, https://abc.com/personal/callback, AND OOB sometimes | OOB (a client application) | If you are happy with OOB being the default when no oauth_callback is present in the Authorization header then leave the default as OOB, otherwise change it to the full path of your preferred default. Add a callback domain: https://abc.com |
| https://abc.com/callback | https://abc.com/callback (a browser application) | N/A |
| https://abc.com/callback | https://xyz.com/callback (a browser application) | Change your default callback to https://abc.com/callback |
| https://abc.com/callback, https://xyz.com/callback | https://abc.com/callback (a browser application) | Leave your default callback if you are happy with that being used if you do not include an oauth_callback parameter in your request. Add a callback domain: https://xyz.com If you want to redirect to many paths on https://abc.com then add that to your callback domains too |
| https://abc.com/personal/callback, https://abc.com/business/callback | https://abc.com/personal/callback (a browser application) | Leave your default callback if you are happy with that being used if you do not include an oauth_callback parameter in your request. Add a callback domain: https://abc.com |
| https://abc.com/personal/callback, https://abc.com/business/callback, https://xyz.com/callback, https://xyz.com/callback/1234-5678 | https://abc.com/business/callback (a browser application) | Leave your default callback if you are happy with that being used if you do not include an oauth_callback parameter in your request. Add https://abc.com/ and https://xyz.com as callback domains |
General Information about Callbacks
| Where you redirect to | Default callback | Callback Domains | Notes |
| OOB (no redirect) | OOB (a client application) | N/A | |
| https://abc.com/callback | https://abc.com/callback | N/A | |
| https://abc.com/callback, AND OOB sometimes | https://abc.com/callback | N/A | |
| https://abc.com/callback, https://abc.com/personal/callback, AND OOB sometimes | https://abc.com/callback OR OOB | Add a callback domain: https://abc.com | If you are happy with OOB being the default when no oauth_callback is present in the Authorization header set the default to OOB, otherwise set it to the full path of your preferred default. (e.g https://abc.com/callback) |
| https://abc.com/callback , https://xyz.com/callback | https://abc.com/callback OR https://xyz.com/callback e.g https://abc.com/callback | https://abc.com OR https://xyz.com e.g https://xyz.com | Select which of the two URLs are you preferred default when no oauth_header is passed. Set one callback domain to the other URL’s domain |
| https://abc.com/personal/callback, https://abc.com/business/callback | https://abc.com/personal/callback OR https://abc.com/business/callback | https://abc.com | Select which of the two URLs are your preferred default when no oauth_header is passed. |
| https://abc.com/personal/callback, https://abc.com/business/callback, https://xyz.com/callback, https://xyz.com/callback/1234-5678 | https://abc.com/personal/callback OR https://abc.com/business/callback, OR https://xyz.com/callback OR https://xyz.com/callback/1234-5678 | https://abc.com, https://xyz.com | Select which of the two URLs are your preferred default when no oauth_header is passed. |