Website logo

Authorisation

Only a few API calls do not require authentication — such as our Catalogue methods — for these calls, you can choose to not use OAuth. This is the simplest type of API call, and is not rate limited, but it doesn’t get you very far. To do anything vaguely useful with the API, you’ll need to register an application.

OAuth

All authenticated calls follow the OAuth 1.0a spec, which is documented here: RFC5849. OAuth parameters can be specified in the query string, the Authorization header, or the POST body, but we highly recommend you use the Authorization header. We support the HMAC-SHA1 and PLAINTEXT signature methods (PLAINTEXT is recommended). RSA-SHA1 is not supported.

You must use HTTPS when using OAuth. This is important to ensure another layer of security around our members’ private data.

Application authenticated calls

Application authenticated calls allow us to identify your application but do not allow you to access member-specific data. To use this type of authentication you simply omit the oauth_token parameter.

Example:

Authorization: OAuth oauth_consumer_key="<consumer-key>", oauth_signature_method="PLAINTEXT", oauth_signature="<consumer-secret>&"

Member authenticated calls

The most important type of authenticated call is where you are accessing a member’s Trade Me account. This allows you to use the full set of APIs. For this type of call, the rate limit is per member, i.e. each member is counted separately. You need to obtain an access token to use this type of authentication; to get one see the page on authentication.

Example:

Authorization: OAuth oauth_consumer_key="<consumer-key>", oauth_token="<token>", oauth_signature_method="PLAINTEXT", oauth_signature="<consumer-secret>&<token-secret>"