Accesses Token
Accesses Token
When you connect a store through EcartAPI, we encrypt the store's platform credentials and deliver a single unified access token. This token represents the encrypted access to that specific store integration—you use it as your Authorization: Bearer <token> for all API calls (see Store access token for how to obtain and save it).
Each platform uses a different authentication mechanism behind the scenes (OAuth2, API keys, fixed tokens, client credentials), but from your perspective you always work with one EcartAPI access token per connected store.
Token lifecycle
The lifetime of your EcartAPI access token depends entirely on the underlying ecommerce platform's own token. EcartAPI does not impose its own expiration—the token remains valid as long as the platform credentials behind it are valid.
- Platforms with non-expiring tokens (e.g. Shopify, BigCommerce, Ecwid): Your EcartAPI access token remains valid indefinitely. No action is needed.
- Platforms with expiring access tokens (e.g. Amazon, Mercado Libre, TikTok Shop): The platform's access token expires after a certain period. When this happens, EcartAPI automatically handles the renewal using the platform's refresh token—the next time you make an API request, EcartAPI exchanges the expired access token for a new valid one transparently. You will not see any change or interruption; this auto-refresh process is completely automatic.
- Platforms with API keys (e.g. WooCommerce, PrestaShop, VTEX): These use static credentials that do not expire. Your EcartAPI access token remains valid as long as the API key on the platform side is active.
When does an EcartAPI access truly expire?
An EcartAPI access token only expires when both the platform's access token and its refresh token have expired. At that point, there is no way to exchange for a new valid access, and the store must be re-authorized by the end user through the integration flow.
For platforms where the refresh token has a limited lifespan shorter than 6 hours, EcartAPI proactively keeps the access alive by refreshing it before it expires. This prevents accidental invalidation on platforms with very short-lived refresh tokens—no action is required from you.
In summary: If your EcartAPI access token stops working, it means the platform's credentials have fully expired and cannot be renewed. The store owner will need to re-authorize the connection.
Platform token reference
The following table shows the approximate token behavior for each supported platform. Expiration times are estimates and may vary based on platform configuration.
| # | Platform | Auth Type | Access Token | Expiration | Refresh Token |
|---|---|---|---|---|---|
| 1 | AliExpress | API Key / Sign | ❌ | — | ❌ |
| 2 | Allegro | OAuth2 | ✅ | ~12h | ✅ (~3 months) |
| 3 | Amazon | OAuth2 (LWA) | ✅ | ~1h | ✅ |
| 4 | Bling | API Key | ❌ | — | ❌ |
| 5 | BigCommerce | Fixed token | ✅ | No expiration | ❌ |
| 6 | Cdiscount | API Key | ❌ | — | ❌ |
| 7 | Claro Shop | API Key | ❌ | — | ❌ |
| 8 | CS-Cart | API Key | ❌ | — | ❌ |
| 9 | Ecart | Proprietary token | ✅ | Variable | ❌ |
| 10 | eBay | OAuth2 | ✅ | ~2h | ✅ (~18 months) |
| 11 | Ecwid | Fixed token | ✅ | No expiration | ❌ |
| 12 | Etsy | OAuth2 | ✅ | ~1h | ✅ |
| 13 | Falabella | API Key | ❌ | — | ❌ |
| 14 | Hybris (SAP) | OAuth2 | ✅ | Variable | ✅ |
| 15 | Jumpseller | API Key | ❌ | — | ❌ |
| 16 | Kometia | Proprietary token | ✅ | Variable | ❌ |
| 17 | Linio | API Key | ❌ | — | ❌ |
| 18 | Liverpool | API Key | ❌ | — | ❌ |
| 19 | Loja Integrada | Fixed token | ✅ | No expiration | ❌ |
| 20 | Magento 1 | Token | ✅ | No expiration | ❌ |
| 21 | Magento 2 | Token | ✅ | No expiration* | ❌ |
| 22 | Mercado Libre | OAuth2 | ✅ | ~6h | ✅ (~6 months) |
| 23 | Miravia | OAuth2 | ✅ | ~2h | ✅ |
| 24 | Multivende | Proprietary token | ✅ | Variable | ❌ |
| 25 | NopCommerce | API Key | ❌ | — | ❌ |
| 26 | Odoo | OAuth2 | ✅ | Variable | ✅ |
| 27 | OpenCart | API Key | ❌ | — | ❌ |
| 28 | PrestaShop | API Key | ❌ | — | ❌ |
| 29 | PrestaShop 9 | API Key | ❌ | — | ❌ |
| 30 | QuickBooks | OAuth2 | ✅ | ~1h | ✅ (~100 days) |
| 31 | Salesforce | OAuth2 | ✅ | 15m–12h | ✅ |
| 32 | Shein | Private | ❌ | — | ❌ |
| 33 | ShipHero | Token | ✅ | No expiration | ❌ |
| 34 | Shoplazza | Fixed token | ✅ | No expiration | ❌ |
| 35 | Shopify | Fixed token | ✅ | No expiration | ❌ |
| 36 | Squarespace | OAuth2 | ✅ | Variable | ✅ |
| 37 | Temu | Private | ❌ | — | ❌ |
| 38 | Tienda Nube | Fixed token | ✅ | No expiration | ❌ |
| 39 | TikTok Shop | OAuth2 | ✅ | ~24h | ✅ (~1 year) |
| 40 | Tiny | API Key | ❌ | — | ❌ |
| 41 | Tray | API Key | ❌ | — | ❌ |
| 42 | Unicommerce | API Key | ❌ | — | ❌ |
| 43 | Vend (VendHQ) | OAuth2 | ✅ | ~1h | ✅ |
| 44 | Verskis | Proprietary token | ✅ | Variable | ❌ |
| 45 | VTEX | API Key | ❌ | — | ❌ |
| 46 | Walmart | Client Credentials | ✅ | ~15 min | ❌ |
| 47 | Weebly | OAuth2 | ✅ | Variable | ✅ |
| 48 | WooCommerce | API Key | ❌ | — | ❌ |
| 49 | Wix | OAuth2 | ✅ | Variable | ✅ |
| 50 | Yampi | API Key | ❌ | — | ❌ |
| 51 | Zoho Inventory | OAuth2 | ✅ | ~1h | ✅ |
Note: Expiration times are approximate and may change based on platform updates or account configuration. Tokens marked with
*may have configurable expiration on the platform side. Additionally, any token—including those marked as "No expiration"—may become invalid if the store owner changes their password, modifies app permissions, or any other action outside of EcartAPI occurs on the platform side. In that case, the store will need to be re-integrated.
Updated 23 days ago