Server side

This guide explains how to perform the authentication/authorization flow on the Server Side, which is better suited for applications executing server side codes, such as, applications developed in Java, Grails, Go, etc.
The Open Platform team recommends using our SDKs since their functionality will streamline the authorization flow using the OAuth protocol.

Contents:

Step by Step

These are the steps for the Server Side OAuth:

  • To begin, you will need the app ID and the secret key obtained when you created your application. If you have not done it yet, this guide provides the necessary steps.

  • When starting the authorization flow, your application should redirect users to Mercado Libre so that they can authenticate and subsequently grant permission to your application. You just need to redirect users to URL:

https://auth.mercadolibre.com.ar/authorization?response_type=code&client_id=App_id

Note: In this example we use the URL for Argentina (MLA), if you are working with other countries, remember to change the .com.ar for the relevant country’s domain.
To see the countries where Mercado Libre operates, enter the next URL http://www.mercadolibre.com/

Parameters

response_type: code – It indicates that the intended operation is to obtain an authentication code that will enable your server to interact with Mercado Libre.
client_id: It is the App ID assigned to your app when created.
redirect_uri: URL – It is your server URL configured for your application.
Note: Remember that if you are working in a local host you can use http, but if you are working in a public domain you must use http and a less than 5 digit port.
No need to worry about authentication of users in Mercado Libre, our platform will take care of that!

  • Once the user completes the authentication process, he/she will be redirected to your application authorization page. The user will be presented with all the requested permits there, along with your app description.
  • captura-de-pantalla-2016-09-29-a-las-3-25-09-p-m

  • When permissions are granted, the user will be redirected to the Redirect URI (configured for your Mercado Libre application) and parameter used in the authentication URL with authorization code under:
http://YOUR_REDIRECT_URI?code=SERVER_GENERATED_AUTHORIZATION_CODE


  • The authorization code is used to exchange it for the access_token (an access key to private resources valid for 6 hours). To obtain the token, you must do the following POST:
https://api.mercadolibre.com/oauth/token?grant_type=authorization_code&client_id=APP_ID&client_secret=SECRET_KEY&code=SERVER_GENERATED_AUTHORIZATION_CODE&redirect_uri=REDIRECT_URI

Response:

{
	"access_token" : "APP_USR-6092-3246532-cb45c82853f6e620bb0deda096b128d3-8035443",
	"token_type" : "bearer",
	"expires_in" : 10800,
	"scope" : "write read"
}

Parameters

grant_type: authorization_code – It indicates that the intended operation is to exchange the “code” for an access_token.
client_id: It is the APP ID of the application you created.
client_secret: hash – The Secret Key generated for your application when created.
code: The authorization code obtained in the previous step.
redirect_uri: URL – The redirect URI configured for your application or one of the allowed domains.

  • Done! As you can see, you will have the access_token in the response to call our API and thus gain access to the user’s private data.
    For example, to access the user’s private information:
$ curl https://api.mercadolibre.com/users/me?access_token=$ACCESS_TOKEN

Response:

{
    "id": 178553776,
    "user_id": 206946886,
    "contact": null,
    "phone": null,
    "address_line": "Triunvirato 5555",
    "floor": null,
    "apartment": null,
    "street_number": "5555",
    "street_name": "Triunvirato",
    "zip_code": "1414",
    "city": {
      "id": "TUxBQlZJTDcwOTla",
      "name": "Villa Urquiza"
    },
    "state": {
      "id": "AR-C",
      "name": "Capital Federal"
    },
    "country": {
      "id": "AR",
      "name": "Argentina"
    },
    "neighborhood": {
      "id": null,
      "name": null
    },
    "municipality": {
      "id": null,
      "name": null
    },
    "search_location": {
      "state": {
        "id": "TUxBUENBUGw3M2E1",
        "name": "Capital Federal"
      },
      "city": {
        "id": null,
        "name": null
      },
      "neighborhood": {
        "id": null,
        "name": null
      }
    },
    "types": [
    ],
    "comment": "",
    "geolocation_type": "ROOFTOP",
    "latitude": -34.5676878,
    "longitude": -58.4933182,
    "status": "active",
    "date_created": "2016-02-24T16:29:59.000-04:00",
    "normalized": true,
    "open_hours": {
      "on_holidays": {
        "hours": [
        ],
        "status": "closed"
      }
    }
  }


  • Nothing lasts forever, not even our access_token. It will expire 6 hours after it was requested.



What happens if I need to work with an access_token for more than 6 hours?
If your app has the option offline_access selected, you will receive a refresh_token along with the access_token as shown before; you should save the refresh_token to be later exchanged for a new access_token upon expiration.
To refresh your access_token you need to make the following POST.

https://api.mercadolibre.com/oauth/token?grant_type=refresh_token&client_id=APP_ID&client_secret=SECRET_KEY&refresh_token=REFRESH_TOKEN

Parameters

grant_type: refresh_token – It indicates that the intended operation is to refresh a token.
refresh_token: The refresh token from the approval step.
client_id: The client ID of your application.
client_secret: The Secret Key generated for your app when created.

Response:

{
    "access_token" : "APP_USR-6092-3246532-cb45c82853f6e620bb0deda096b128d3-8035443",
	"token_type" : "bearer",
	"expires_in" : 10800,
	"refresh_token" : "TG-5005b6b3e4b07e60756a3353",
	"scope" : "write read offline_access"
}

The response includes the original access_token validated for 6 hours and a new refresh token.

This action will be repeated every time an access_token expires so remember to save the new refresh_token.

Server-Side Flow

In short, this is the process you will be performing:

flujo_serverside_eng

References:
1) Redirect users to Mercado Libre.
2) No need to worry about authentication of users in Mercado Libre, our platform will take care of that!.
3) Authorization page.
4) API call Mercado Libre POST to exchange the authorization code for an access token.
5) API Mercado Libre exchanged the authorization code for an access token.
6) You can now use the access_token to call our API and thus gain access to the user’s private data.

a- Redirect

https://auth.mercadolibre.com.ar/authorization?response_type=code&client_id=APP_ID&redirect_uri=REDIRECT_URL

b-

GET
http://YOUR_REDIRECT_URI?code=SERVER_GENERATED_AUTHORIZATION_CODE

c-

POST
https://api.mercadolibre.com/oauth/token?grant_type=authorization_code&client_id=APP_ID&client_secret=SECRET_KEY&code=SERVER_GENERATED_AUTHORIZATION_CODE&redirect_uri=REDIRECT_URI

d- Response:

{
  "access_token" : "APP_USR-6092-3246532-cb45c82853f6e620bb0deda096b128d3-8035443",
  "token_type" : "bearer",
  "expires_in" : 10800,
  "scope" : "write read"
}

FAQs

Interact with community developers and share your doubts and experiences.

Please rate this