Authentication and Authorization Guide

Copy

• Copy for LLM

  Copy page as Markdown for LLMs
• View as Markdown

  Open this page as Markdown
• Open in ChatGPT

  Get insights from ChatGPT
• Open in Claude

  Get insights from Claude

Welcome to the Wallapop Connect API authentication guide! Here, you’ll learn how to securely integrate your application using the OAuth 2.0 Authorization Code Flow with PKCE—a modern, secure way to handle authentication. This method ensures your app communicates safely with Wallapop's resource server while following industry best practices from the OAuth 2.0 Security Best Current Practice RFC.

To make life easier, we highly recommend using an OAuth 2.0 client library to handle the heavy lifting for you.

How OAuth 2.0 Authorization Code Flow with PKCE Works

Here’s a high-level overview of what happens when a user logs in:

Setting Up Your OAuth Integration

🔗 Redirect URI

The redirect_uri tells Wallapop where to send the user after login. It should be an endpoint in your app, like /callback, where your app will handle the authorization code.

🔑 Client ID and Secret

Wallapop provides a client_id (public) and a client_secret (private). You'll need these to authenticate your app.

🔐 PKCE Code Verifier & Code Challenge

To access Wallapop resources, you need an access token obtained by exchanging an authorization code.

Since we're using PKCE (Proof Key for Code Exchange), the first step is for your app to generate a code_verifier and a code_challenge:

• code verifier: A randomly generated, URL-safe string with at least 43 characters.
• code_challenge: A derived value from the code verifier, calculated as follows:
  1. Apply SHA-256 hashing to the code verifier.
  2. Encode the result using Base64 URL encoding (without padding).

The final transformation can be represented as:

BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))

🚀 OAuth Authentication Process: Step by Step

Here's how your app gets access:

1️⃣ User Logs In

The user clicks Login in your app.

2️⃣ Request an Authorization Code

Your app sends a request to the authorization server’s /auth endpoint with:

• redirect_uri
• code_challenge
• Other required parameters

curl -i -X GET \
  'https://iam.wallapop.com/realms/wallapop-connect/protocol/openid-connect/auth?client_id=string&response_type=code&redirect_uri=http%3A%2F%2Fexample.com&code_challenge=string&code_challenge_method=S256'

3️⃣ User Authentication

The professional user is redirected to Wallapop’s login page. Once authenticated, with their mail and password used on Wallapop, they are sent back to your app.

4️⃣ Authorization Code Received

Your app receives an authorization code via the redirect_uri.

5️⃣ Exchange Authorization Code for Tokens

Your app sends a POST request to /token with:

• Authorization code
• code_verifier
• Other required parameters

curl -i -X POST \
  https://iam.wallapop.com/realms/wallapop-connect/protocol/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'User-Agent: string' \
  -d grant_type=authorization_code \
  -d code=string \
  -d redirect_uri=http://example.com \
  -d code_verifier=string \
  -d client_id=string \
  -d client_secret=string

💡 Response:

• access_token (short-lived, grants access to Wallapop resources)
• refresh_token (used to get a new access token when expired)

Making API Calls with Your Access Token

Now that you have an access_token, you can start making API requests! Just include it in the Authorization header like this:

curl -v 'https://connect.wallapop.com/{uri}/' \
  -H 'Authorization: Bearer ${access_token}'

First API Call: Create an Item

For your first API request, create an item while passing the access token in the Bearer authorization header.

Request

curl -i -X POST \
  https://connect.wallapop.com/items \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "item": {
      "category_leaf_id": "9931",
      "title": "Title example",
      "description": "A renowned line of performance and lifestyle sneakers that offer superior comfort, support, and style both on and off the court.",
      "price": {
        "cash_amount": 75.5,
        "currency": "EUR"
      },
      "attributes": {
        "external_id": "407947058",
        "brand": "Abc Design",
        "size": 34,
        "condition": "new",
        "color": "yellow"
      },
      "hashtags": [
        "awesome",
        "original"
      ],
      "delivery": {
        "allowed_by_user": true,
        "max_weight_kg": 10,
        "free_shipping": false
      }
    },
    "main_image": {
      "url": "http://cdn.portal.com/image129.jpg"
    },
    "stock": {
      "units": 0
    }
  }'

A successful request returns a 201 Created response, including the id of the newly created item in the response body.

🔄 Refreshing Your Access Token

Tokens expire, but you don’t have to make users log in again! Instead, refresh the token:

curl -i -X POST \
  https://iam.wallapop.com/realms/wallapop-connect/protocol/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d grant_type=refresh_token \
  -d refresh_token=string \
  -d client_id=string \
  -d client_secret=string

• Refresh Token Lifetime: 180 days

Please be aware of the access token rate limits 😉.

🎯 Ready to Go?

That’s it! You now know how to authenticate users, obtain access tokens, and interact with the Wallapop API securely. If you have any questions, be sure to check our Frequently Asked Questions section.

Now go ahead—connect, build, and innovate! 🚀

For a full list of endpoints and options, check out the API catalog—your go-to reference for everything Wallapop API.