Getting the API access token

In the following section, we assume that you have set up a partner e-shop and that you are an approved Shoptet API partner. For example, the partner e-shop URL shall be https://12345.myshoptet.com.

Used terms

OAuth Access Token
This string represents each individual installation of your addon at the e-shop and it is necessary to gain an API access token. Time unlimited validity. 255 characters long.

code
String sent as a GET parameter to your URL, which was entered in the addon settings. Time limited validity.

API access token
String to access the Shoptet API. Time limited validity. Its length varies from 38 to 60 characters. You can retrieve an API access token by calling the authorized requirement on the OAuth server. You execute the authorization using the OAuth access token, which you get from the process Your addon installation by the e-shop.

Getting the API access token

This process should be independent of the installation process and must be called every time you have no valid API access token.

The API access token has a time-limited validity and the number of API access tokens currently valid for one installation is limited to 5 per OAuth access token.

You get a token by calling an endpoint OAuth server’s authorized request.

An example of gaining an API access token in PHP

// The URL to gain an API access token, this is an example only; The specific value can be found in
// the partner e-shop administration -> Connection -> API partner -> Access to API
$apiAccessTokenUrl = 'https://12345.myshoptet.com/action/ApiOAuthServer/getAccessToken';

// the value saved by the installation process, unique for each e-shop
$OauthAccessToken = '05bvguwz7zp10s6cj37csrwpfl4kfkxa6ojmophp6fabzkspi821g2yso0x4bqktwuouifak9sl6yssvpt9cwidgvt21p5czb108rlo94krwumlgal3na9ky7qdaq0jfkt180omfahbsxtoemfwstjhrf98y3b7qpytbkm53ic99ghpiqdkqb08j6gearo4kw9zeavehjvndabyoneili9qcs65tnsg9cpror28i725394tkf4rxxp62cq46xd9'

// OAuth access token is to be added to the request hader
$curl = curl_init($apiAccessTokenUrl);
curl_setopt($curl, CURLOPT_HTTPHEADER, ['Authorization: Bearer ' . $OauthAccessToken]);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
$response = curl_exec($curl);
curl_close($curl);

In the $response there is the ‘access_token’, which is the API access token for access to Shoptet API.

{"access_token":"123456-a-fltqc2nn5zg8y5h69jx8976ltwi2p1qg","expires_in":1800}
$response = json_decode($response, TRUE);
$apiAccessToken = $response['access_token'];

You will use the API access token obtained to call the Shoptet API endpoints. For instructions on how to create the requirement at Shoptet API and a list of endpoints, see Documentation at Apiary.

We recommend that you save the token’s expiration time together with the token to check. If the validity time is exceeded, request a new API access token. Alternatively, you can capture an invalid-token error message when you call the API, and repeat the request after requesting a new token. After the token, expires you will receive a 401 Unauthorized return code in the body

{
    "data": null,
    "errors": [{
        "errorCode": "invalid-token",
        "message": "Invalid access token 123456-a-fltqc2nn5zg8y5h69jx8976ltwi2p1qg.",
        "instance": "access-token"
    }]
}