I'm an individual, who wants to develop for my own Shop. How do I get my Whatnot Seller API token?
#
Create an account in Whatnot's staging environment . Then, please email us at [email protected] with your username. We will generate and provide your access token through a secure link with a short expiration window.
How do I authorize API requests once I have my API token?
#
Please include your API token in every request you make using the Bearer token format, using the following header format:
Note: in staging, your key will include the prefix wn_access_tk_test_
; in production, the prefix will be wn_access_tk_
.
My token was leaked or compromised! What should I do?
#
If your token gets leaked or otherwise compromised, please email us immediately at [email protected] . We will issue you a new token and deactivate the compromised one.
I'm a 3rd Party Service. How can I request access to a user's account to update their data?
#
Whatnot allows you to request access to customer accounts using the OAuth Authentication Framework . In your dashboard, you can add a button like "Connect" and prompt the beginning of the OAuth flow.
Configuration
#
Your Client App will need a secret
, which the Whatnot team will generate and provide to you via secure link.
You will also need to provide us one or more redirect_uris
that we will redirect to after a user approves or denies the request for authorization.
Authorization Request
#
Whatnot supports "code" authentication which can be started with the following request (new lines included for readability):
If all values are valid, a 302 redirect with a Location header to Whatnot.com will be returned where the user may Approve or Deny the request.
Upon approval, your request uri will be called with the following params. The authorization code should be provided to request a token.
Token Request
#
You can then exchange the authorization code for an access token with the following request (new lines for readability):
This endpoint will return the following JSON:
You can then access the user's information to the requested scopes using the returned Access Token. You should store the Refresh Token to be used to obtain a new Access Token in the future.
Refresh tokens expire in 1 year, also subject to change.
Refreshing tokens
#
Tokens may be refreshed using the token endpoint and grant_type=refresh_token
as described in the OAuth Spec .
The response is identical to above:
The used refresh token will be invalidated, and you should store the newly returned Refresh Token.
Available Scopes
#
Your app will be assigned the maximum authorized scopes for the features it is expecting to provide. For example, if you will display Whatnot inventory in your platform,
and allow updates to it, you will be provided read:inventory
and write:inventory
. If you need to display orders in your platform, you may be issued read:orders
.
For external fulillment (BYOL), you will be provided write:orders
and read:customers
.
Each of these will be determined per client app, as needed. On a per-user basis, you may request less than your maximum if needed (e.g. if certain features are an upsell within your platform).
full_access
- Only granted via access
token to your own account. Never permitted for OAuth
read:inventory
- Allows reading products, variants, and listings from an account
write:inventory
- Allows creating, updating, and deleting products, variants, and listings
read:orders
- Allows reading orders from an account
write:orders
- Allows writing information to orders (e.g. Tracking Numbers)
read:customers
- Read customer information from an order such as address, email, and phone number. Only needed for off-platform fulfillment
Introduction
Rate limits