Authorization method for automated access to products, offers and orders

[Tomas-Hutyra]

Hello, I'm developing connection from ERP system to your marketplace. The idea is the ERP will send informations about products and offers to Allegro and download offers. It will be done automaticaly without user interaction. Which authorization method is suitable for this purpose?

From the documentation it seems to me, there is no authorization method allowing access to products, offers and orders which does not require client login. The only exception is Client_credentials flow but it is intended for public data only. I'm I right or is there something similar for non-public data?

Thank you and have a nice day,

Tomas Hutyra

[Toumash]

@Tomas-Hutyra to fetch non-public data you need bearer-token-for-user. To grab it follow the docs:

• Authorization Code Flow
• Device Code Flow
• If your ERP is something self-hosted theres also option called Dynamic Client Registration

If your ERP is something web-accessible take the Authorization Code Flow option and store both access_token and refresh_token in a encrypted secure storage. It's critical to store it as securely as passwords because lleaking access_token will grant access to the users Allegro Account for a few hours (?) but when refresh_token gets compromised its over because attacker can refresh it forever until the user manually disconnects your Allegro App Registration.

You would need to refresh both tokens using method described on the bottom of the Auth code https://developer.allegro.pl/tutorials/uwierzytelnianie-i-autoryzacja-zlq9e75GdIR#przedluzenie-waznosci-tokena

[Lukasz-Zurek]

Toumash is right. The client_credentials authorization has no user context, this is why you won't retrieve products or offers data while using this method.

In our documentation you will find the appropriate indication of what type of authorization is required for a given resource:

• bearer-token-for-user (code or device flow),
• bearer-token-for-application (client credentials).

Extending token validity is something that should interest you.

While the basic access token (access_token) is valid for 12 hours, by extending token validity, you will be able to generate a new pair of access_token (which is valid for another 12 hours) and refresh_token (which is valid for another 3 months) and it will not need from the user to perform any additional actions.

[stale[bot]]

W tym wątku nie pojawiła się żadna nowa odpowiedź w ciągu 7 dni, dlatego automatycznie oznaczamy go jako przeterminowany. Jeśli w ciągu kolejnych 7 dni nie pojawi się żadna odpowiedź, wątek zostanie zamknięty. Dziękujemy za zaangażowanie w dyskusję i zachęcamy Cię do wypełnienia ankiety dotyczącej naszego wsparcia na forum.

---

There was no new reply in this thread within 7 days, therefore, we automatically marked it as expired. If no response is received within the next 7 days, this thread will be closed. Thank you for engaging in the discussion. We encourage you to complete our forum support survey.

[Tomas-Hutyra]

Hello, the refresh token works well, but when I tried to use it next day I got a message "Invalid refresh token". I thought the refresh token is valid for 3 months. Is it right? Or should it be periodically refreshed as well? Thank you and have a nice day, TH

[PrzemyslawLukanowski]

Hello, the refresh token is valid for three months, but after it's utilized to generate a new pair of tokens it's no longer valid - you need to use new tokens (new access token and refresh token).

[Tomas-Hutyra]

OK, thanks for quick answer. When it happens is the validity of the refresh token also extended? I.e. is it 3 monts since first login or 3 months since the last creation of the new pair?

[PrzemyslawLukanowski]

The refresh token is valid for three months after you generate one (so it can be from the first pair of tokens or after utilizing the refresh token to create a new pair of tokens). The validity is extended because of generating a new pair (but the expiration time of a single refresh token remains the same, it's 3 months or when you use the given refresh token to create a new pair of tokens). If I misunderstood your question, could you please clarify it a little bit more?

[Tomas-Hutyra]

I believe you got it right. Just to be sure, is following example correct?

• user logins on 25.6.2024 6:00. It gets access token valid until 25.6.2024 18:00 and refresh token valid until 25.9.2024 6:00
• next day (26.6.2024 6:00) refresh token is used. New access token valid until 26.6.2024 18:00 and new refresh token valid until 26.9.2024 6:00 are created.

[PrzemyslawLukanowski]

Yes, but please note that:

user logins on 25.6.2024 6:00. It gets access token valid until 25.6.2024 18:00 and refresh token valid until 25.9.2024 6:00

during 25.6.2024 18:01 - 26.6.2024 05:59, the user won't be able to perform operations because of the expired access token.

next day (26.6.2024 6:00) refresh token is used. New access token valid until 26.6.2024 18:00 and new refresh token valid until 26.9.2024 6:00 are created.

Yes, but if on 27.6.2024 6:00 you use the refresh token from this point, it will lose its validity, and another valid pair of tokens will be newly generated ones.

[Tomas-Hutyra]

OK, understood. Thank you.

[stale[bot]]

W tym wątku nie pojawiła się żadna nowa odpowiedź w ciągu 7 dni, dlatego automatycznie oznaczamy go jako przeterminowany. Jeśli w ciągu kolejnych 7 dni nie pojawi się żadna odpowiedź, wątek zostanie zamknięty. Dziękujemy za zaangażowanie w dyskusję i zachęcamy Cię do wypełnienia ankiety dotyczącej naszego wsparcia na forum.

---

There was no new reply in this thread within 7 days, therefore, we automatically marked it as expired. If no response is received within the next 7 days, this thread will be closed. Thank you for engaging in the discussion. We encourage you to complete our forum support survey.