I have been experimenting with the sandbox and production eBay API. I managed to get the sandbox API to work but only if the scope list is empty. If I add the scopes, it returns an error message The requested scope is invalid, unknown, malformed, or exceeds the scope granted to the client. I am trying to understand why this error is occurring and how I can alter scopes.
Here is a successful access token returned for the sandbox api. Notice how the scopes parameter is unchecked and not sent in the request body. The scope list is not specified but it still works and returns an access token. Why is this? Wouldn’t it need scopes?
When I enable the scopes, I receive the error
The requested scope is invalid, unknown, malformed, or exceeds the scope granted to the client
Let’s go through an example:
I want to use a "Client Credentials Grant Type" and not an "Authorization Code Grant". Be aware that a client credential does not require user authorization since it is meant for application use only. Therefore, this post does not apply to the question.
Here is a client credential scope that my application keyset has access to.
Here I create and send the request with the "https://api.ebay.com/oauth/api_scope" scope. I have URL encoded the scope per the documentation.
Here I create and send the request in postman with no scope specified. An access code is successfully returned.
Why does the access code request fail if a scope is specified? Do I not need to specify scopes beacuse I see this in the documentation….
How do I know if an endpoint falls under an "ebay call" and doesn’t require a scope? ….or does it require a scope?
2
Answers
Why your request succeeds with no scopes
Take a look at this section on the bay api site.
It says:
I believe when you send a request with no scopes, it defaults to another list of scopes and that’s why your request succeeds with no scopes.
Why your request fails
One the same page in this section: it says:
"The request you use to generate the new token must include a list of scopes that allows access to all the methods you plan to call with the token."
I can’t see all your scopes in your example but my guess is you are sending your request without all of the scopes you need for your application and, if you send a request with anything less than all scopes, it will reject your request.
How to check the needed scopes for your token request
On that page there is this section that covers seeing the all scopes you need for a request
If you follow the instructions you should be able to see an example request and see what kind of scopes you have assigned to your application.
OAuth can be tricky but it looks like you’re on the right path! Sometimes stepping away from it helps too but I think you’re on the right path and hope this helps!
I have the same issue and it seems client credential grant type no longer supports all the scopes and limited to public info and not scope related to that specific user. Probably ebay decided we must all use the application auth workflow instead and get consent each time.