API Application Going Live. Zhuowei Yang

Size: px

Start display at page:

Download "API Application Going Live. Zhuowei Yang"

Conrad Mason
5 years ago
Views:

1 API Application Going Live Zhuowei Yang

2 Agenda API Credentials Best Practices Application Compatibility Check 2

3 API Credentials

4 API credentials API credentials and User Token Token Tool for single user User Token: Multiple Users Token Status Token Revocation Sample Auth & Auth applications 4

5 API credentials and User Token These IDs make up an API credential DevID : Unique identifier for the developer's account AppID: Unique identifier for the application. CertID: Unique identifier that authenticates the application when making API calls. An User Token authorizes an application to access ebay data on an ebay User's behalf is generated when an ebay user goes through ebay sign-in flow and the app s consent page 5

6 6

7 User Token Valid for 18 Months DevID AppID CertID Expiration Date Keyset Auth Token is the encryption of Environment User Info Sandbox Production UserID Password 7

Single User Application - The easiest way to generate a token is by using the User Token Tool (http://developer.

8 Single User Application - The easiest way to generate a token is by using the User Token Tool ( okentool). - Create Sandbox User with Sandbox Registration tool : tokentool 8

9 Environment Keyset and user token are unique to the environment one set of keys per environment (sandbox/production) 9

10 Sandbox It is a test environment for you to use while you're developing your application. list items, end items, leave feedback as part of testing your application Won't be charged for listing items, nor for buying these test items. Sandbox Trading API Endpoint: - XML Fomat - SOAP Fomat 10

11 Production You will be charged listing fees, or for buying items, and negative feedback will stay on your record ebay Trading API Endpoint: XML format: SOAP format: 11

12 RuName An identifier for a particular signin process flow. It allows you to customize properties such as your application AcceptUrl, RejectURL, application display name, and application description. 12

SessionID obtained above Redirect user to ebay Sign-in https://signin.ebay.com/ws/ebayisapi.

13 User Token: Multiple Users Configure Application Settings for every user follow process as below GetSessionID() with your RuName Url-Encode SessionID obtained above Redirect user to ebay Sign-in RuName&SessID=SessionID FetchToken(SessionID) 13

14 Application Settings Tool Customize the User Consent Page View your stored user token an example of a customized User Consent Page. 14

15 Token Status 18-month Expiration: User tokens have an 18-month life time. Renew your token before they expire to extend the life of the token Token Status GetTokenStatus API call for token status TokenRevocation Platform notification Handle expired tokens Send user through token generation process 15

16 Token Revocations An user token becomes invalid if any one of the following has happened when a user's id or password has been reset by ebay CS for any reason The token owner revoked the third party authorization through My ebay Application made the RevokeToken API to invalidate the token 16

17 Auth & Auth Samples.NET Auth & Auth Desktop Application JAVA Auth & Auth Desktop Application 17

18 Client Alert Token A Client Alert Token: Lifetime=7days authorizes an application to retrieve private Alerts on an ebay User's behalf is returned in GetClientAlertAuthToken with user token used for authentication and authorization calls to the Trading API 18

19 GetClientAlertsAuthToken Trading API 19

20 Best Practices

21 Best Practices Choosing the API - Keep it light Performance and Throughput Retry Troubleshooting Schema Evolution 21

22 Choosing the Right API ebay API 9 different sets of API s Trading API Platform Notifications LMS Shopping API Finding API Which one is right for me? i-by-feature/ 22

23 Throughput ebay rate limits calls See your Trading API usage at dashboard.asp Detail Levels Controlling the Amount of Data Returned Configurable Output Time Ranges Caching 23

24 Retry Do Retry up to three times with time gap Server Internal Errors HTTP status 500 Infrastructure Errors Proxy Error (HTTP status 502) HTTP/1.1 Service Unavailable Do Not Retry on Internal Application Error (Error Code: 10007) Request errors 24

25 Trouble Shooting Diagnose (Logging raw request and response xmls) Reproduce Payload logging (Exception based logging feature) Sample and Report proactively 25

26 Schema Evolution Plan to update your application at least once in 6 months Take advantage of new features, types, enum values Deprecation - minimum supported version is updated every 6 months For latest updates Subscribe to newsletter Check Release notes 26

27 Rate Limiting Basics Applications get 5000 calls per day; higher limits through Application Compatibility Check See your trading API usage at dashboard.asp GetAPIUsage References: and 822 and

28 Application Compatibility Check

29 Why App Check By passing the process, you Will get higher API call limit Can use the ebay Compatible Application logo The process is free 29

30 Compliance with API Policies and Guidelines API License Agreement ebay API Logo Usage Requirements Don't use the ebay corporate logo in your application. ebay site policies ebay User Agreement 30

31 Follow the OWASP secure coding principles OWASP secure coding principles XSS CSRF SQL injection 31

32 Going Live Check List Implement User Token API Usage and Volume Check that API version in use is > supported version Logo Requirements XSS CSRF SQL injection Error Handling - No automatic retries after errors 32

33 Check list for Compatible Application Check process Design How you have designed your application so as to make the optimal use of the API. DetailLevel - Consider using the minimal level that you need. Using Notifications wherever possible. Provide details on your DoS protection API usage. This includes a list of each and every individual API call. Token retrieval method - multiple or single users - How you retrieve the user token Best Practices how you are following the best practice for your call. For example, if you are using AddItem, consider using UUID to eliminate the risk of listing an item twice Testing Provide either the website or download link to the application that needs tested. If required for testing, please provide a test account. Please provide testing instructions in English. Logo usage: Incorrect usage of ebay Logos will delay App Check process Version : Check that API version in use is > supported version

34 Q&A

BlackBerry AtHoc Networked Crisis Communication. BlackBerry AtHoc API Quick Start Guide

BlackBerry AtHoc Networked Crisis Communication BlackBerry AtHoc API Quick Start Guide Release 7.6, September 2018 Copyright 2018 BlackBerry Limited. All Rights Reserved. This document may not be copied,