Skip to main content

Getting the API access token

In the following section, we assume that you have already set up a partner e-shop and have been approved as a Shoptet API partner. For the purposes of this example, the partner e-shop URL will be https://12345.myshoptet.com.

Used terms

OAuth Access Token
A unique string representing each individual installation of your add-on in an e-shop. It is required to obtain an API access token. It has unlimited validity and is 255 characters long.

code
A string sent as a GET parameter to your specified URL (as set in the add-on settings). It has limited-time validity.

API access token
A string used to access the Shoptet API. It has limited-time validity and its length ranges from 38 to 60 characters. You can obtain an API access token by making an authorized request to the OAuth server. This authorization is carried out using the OAuth access token, which you receive during the add-on installation process by the e-shop.

How to obtain an API access token

This process should be independent of the installation process and must be triggered whenever you don't have a valid API access token.

The API access token has a limited validity period, and each installation can have a maximum of 5 valid API access tokens per OAuth access token at any given time.

You can obtain a new token by sending an authorized request to the OAuth server’s endpoint.

Example of obtaining an API access token using PHP

// URL used to obtain an API access token. This is just an example — the actual URL can be found in:
// Partner e-shop administration → Connection → API partner → Access to API
$apiAccessTokenUrl = 'https://12345.myshoptet.com/action/ApiOAuthServer/getAccessToken';

// OAuth access token obtained during the add-on installation process.
// This value is unique for each e-shop installation.
$OAuthAccessToken = '05bvguwz7zp10s6cj37csrwpfl4kfkxa6ojmophp6fabzkspi821g2yso0x4bqktwuouifak9sl6yssvpt9cwidgvt21p5czb108rlo94krwumlgal3na9ky7qdaq0jfkt180omfahbsxtoemfwstjhrf98y3b7qpytbkm53ic99ghpiqdkqb08j6gearo4kw9zeavehjvndabyoneili9qcs65tnsg9cpror28i725394tkf4rxxp62cq46xd9'

// The OAuth access token must be included in the Authorization header of the request.
$curl = curl_init($apiAccessTokenUrl);
curl_setopt($curl, CURLOPT_HTTPHEADER, ['Authorization: Bearer ' . $OAuthAccessToken]);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
$response = curl_exec($curl);
curl_close($curl);

The $response contains the access_token, which is the API access token used to access the Shoptet API.

An example response might look as follows:

{"access_token":"123456-a-fltqc2nn5zg8y5h69jx8976ltwi2p1qg","expires_in":1800}

Next, decode the response to retrieve the access_token:

$response = json_decode($response, TRUE);
$apiAccessToken = $response['access_token'];

You will use the obtained API access token to call Shoptet API endpoints. For instructions on how to create requests and for a full list of available endpoints, please refer to the documentation.

We recommend saving the token’s expiration time along with the token itself, so you can check its validity before making a request. If the token has expired, you should request a new API access token. Alternatively, you can handle the invalid token error message returned by the API and repeat the request after obtaining a new token. Once the token has expired, the API will return a 401 Unauthorized status code.

Example of expired or invalid token response:

{
    "data": null,
    "errors": [{
        "errorCode": "invalid-token",
        "message": "Invalid access token 123456-a-fltqc2nn5zg8y5h69jx8976ltwi2p1qg.",
        "instance": "access-token"
    }]
}