Store authentication
Store authentication
To make Ecart API requests you need a store access token. Your customers integrate their store through Ecart API's authentication process; you do not need to assist them.
Recommended: Use the built-in authentication flow so store owners can connect their store easily. After a successful integration, the user is redirected to your Redirect URL with the tokens and data you need.
What you receive in the redirect URL
Your redirect URL is called with query parameters such as:
| Parameter | Description |
|---|---|
| access_token | The token you use as Bearer when calling Ecart API (store access token). |
| ecommerce | Platform name (e.g. Shopify, Wix). |
| url | Store URL. |
| name | Store name. |
| token | Internal token reference (e.g. OAuth2 JWT). |
| refreshToken | Refresh token when the platform supports it. |
| userId | User identifier. |
| ecartapi_key | HMAC for validating the integration request (see below). |
Example (conceptual):
https://example.com/integrations?access_token=...&ecommerce=Wix&url=...&name=...&token=...&refreshToken=...&userId=...&ecartapi_key=...
Validating the integration request
To validate that the redirect request is legitimate, use the ecartapi_key parameter. It is an HMAC with SHA-256 and Base64 encoding.
| Input | Value |
|---|---|
| Base string | Your App ID and the access token received, concatenated with &. |
| Secret key | The Client Id token from your dashboard settings. |
Use this to verify the request before saving the store access token.
Recap: Validate the redirect with ecartapi_key (HMAC SHA-256, Base64), then save the access_token and link it to your customer.
Next
→ OAuth 2.0 — How to send your customer to the OAuth URL and what they see.
→ Store access token — Where to find the token, saving it, and using it as Bearer.
Updated 30 days ago