The Marketplace’s APIs authentication is carried out with information of a pair of tokens on the requests header. The following pair of tokens is expected in each request:

client_id: APP Identification. Its generation occurs at the moment of APP creation, through the developer dashboard. Its value can be viewed on the Token column of the APPs list, and it can be used both in the Sandbox and in the Production environment, after the application undergoes the validation process.
access_token: Access token identification, which stores the allowed access rules to APP. Its generation occurs in two moments during the process of integration with APIs.

Acquisition of Access Token for Sandbox environment

As soon as a new APP is created on the developer portal, an access_token is created, with the necessary access rules in order to access the Sandbox APIs. It can be viewed on “APP Details”, in the APPs list of the developer portal

Acquisition of Access Token for Production environment

As soon as your APP undergoes the validation process, you will need a new access_token, with the necessary access rules for the production environment. Different from Sandbox environment, this new access_token generation does not occur automatically.

The generation of this new access_token occurs in a procedural way, following an OAuth2 authentication flow. Learn more about the OAuth2 flow to generate the Production access_token.

Transport Protocol

All the information that flows through the APIs are carried out by the HTTPS protocol, which ensures a safe channel and does not require the tokens to be encrypted manually. Learn more details about the HTTPS protocol usage.

Authentication Errors

Some errors are addressed during Tokens authentication. See the errors list below:

Absence of one of the Tokens: Both Tokens must go through all the requests. If one of them is absent, the error 401 Unauthorized will return.
Nonexistent/wrong Token:If any of those Tokens do not exist or have any error (if it has been changed), the error 401 Unauthorized will return.
Revoked Tokens (invalid): If any of the Tokens has been revoked, it will be considered invalid, and the error 403 Forbidden will return.

For absence errors of one of the Tokens and/or a wrong/nonexistent Token, you can take actions with the developer, in order to validate whether the given information is valid. For revoked tokens (invalid), the only applicable action is to request a new token.