Skip to content
/
Quickstart
Last updated

Quickstart

Ready to dive in? This guide will get you making API calls to the Wallapop API in no time.

Prerequisites

Before you start, make sure you have the following:

  • client_id (provided by Wallapop)
  • client_secret (provided by Wallapop)
  • redirect_uri

Quick Start Flow

Here’s a high-level overview of the steps you’ll follow:

Generate code verifier
and challenge
Request Authorization Code
Exchange for access token
Send your first API call
Refresh the access token

1️⃣ Generating PKCE Code Verifier & Code Challenge

To access Wallapop resources, you need an access token, obtained by exchanging an authorization code.

Since we're using PKCE (Proof Key for Code Exchange), your app must first generate:

  • Code Verifier: A random, URL-safe string (≥ 43 characters).
  • Code Challenge: A hashed, encoded version of the verifier:
BASE64URL-ENCODE(SHA256(ASCII(code_verifier)))

2️⃣ Requesting an Authorization Code

Your app must request an authorization code from the authorization server's /auth endpoint.

OAuth scopes

No need to set OAuth scopes—just request the code, and you're good to go!

🔹 Request

curl -i -X GET \
  'https://iam.wallapop.com/realms/wallapop-connect/protocol/openid-connect/auth?client_id=string&response_type=code&redirect_uri=http%3A%2F%2Fexample.com&code_challenge=string&code_challenge_method=S256'

🔹 Response

After sending the request, the authorization server responds with an authorization code to the redirect_uri.

3️⃣ Exchanging Tokens

Now, exchange the authorization code for an access_token by sending it along with the code_verifier to the authorization server’s /token endpoint.

🔹 Request

curl -i -X POST \
  https://iam.wallapop.com/realms/wallapop-connect/protocol/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'User-Agent: string' \
  -d grant_type=authorization_code \
  -d code=string \
  -d redirect_uri=http://example.com \
  -d code_verifier=string \
  -d client_id=string \
  -d client_secret=string

🔹 Response

A successful request returns:

200 OK response
access_token (valid for 5 minutes)
refresh_token (used to get a new access token)

4️⃣ Sending Your First API Call (Create an Item)

With your access_token, you can now make API requests. Let's create an item!

Using real values

This is just a demo! Swap out the example values with your own, using the Request Body Schema tab for field details.

🔹 Request

curl -i -X POST \
  https://connect.wallapop.com/items \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "item": {
      "category_leaf_id": "9931",
      "title": "Title example",
      "description": "A renowned line of performance and lifestyle sneakers that offer superior comfort, support, and style both on and off the court.",
      "price": {
        "cash_amount": 75.5,
        "currency": "EUR"
      },
      "attributes": {
        "external_id": "407947058",
        "brand": "Abc Design",
        "size": 34,
        "condition": "new",
        "color": "yellow"
      },
      "hashtags": [
        "awesome",
        "original"
      ],
      "delivery": {
        "allowed_by_user": true,
        "max_weight_kg": 10,
        "free_shipping": false
      }
    },
    "main_image": {
      "url": "http://cdn.portal.com/image129.jpg"
    },
    "stock": {
      "units": 0
    }
  }'

🔹 Response

✅ A successful request returns 201 Created with the id of the newly created item.

🔄 Refreshing the Access Token

Your access_token expires after 5 minutes, but don’t worry—you can refresh it using the refresh_token.

🔹 Request

curl -i -X POST \
  https://iam.wallapop.com/realms/wallapop-connect/protocol/openid-connect/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d grant_type=refresh_token \
  -d refresh_token=string \
  -d client_id=string \
  -d client_secret=string

🔹 Response

✅ A successful request returns a 200 OK status with a new access_token and a new refresh_token.

📌 The refresh_token is valid for 180 days, so you won’t need to log in again anytime soon!

🎉 Next Steps

Congrats! 🎊 You’ve completed the Quickstart and successfully:

✅ Generated an OAuth 2.0 PKCE challenge
✅ Retrieved an authorization code
✅ Exchanged it for an access token
✅ Made your first API call
✅ Refreshed your token

Now, explore more:

🔹 Check out the full API Catalog for all available endpoints.
🔹 Learn more about OAuth 2.0 authentication in the Authentication Guide.

🚀 Happy coding!

Previous page
Next page