Authorization and Token Recommendations
Obtain access token by sending body parameters
When you POST to the /oauth/token resource to get the access token, you should send the parameters in the body and not as a query. This will allow a much more secure exchange of information!
curl -X POST \ -H 'accept: application/json' \ -H 'content-type: application/x-www-form-urlencoded' \ 'https://api.mercadolibre.com/oauth/token' \ -d 'grant_type=authorization_code' \ -d 'client_id=$client_id' \ -d 'client_secret=$client_secret' \ -d 'code=$code' \ -d 'redirect_uri=$redirect_uri'
ID generation to obtain an access token
As an optional measure to increase security in the processes to obtain access tokens, we recommend that you generate a secure type random value and send it as a state parameter.
For example to create the secure random id, in Java:
SecureRandom random = new SecureRandom();
Example adding state:
curl -X GET https://auth.mercadolibre.com.ar/authorization?response_type=code&client_id=$APP_ID&state=ABC123&redirect_uri=$REDIRECT_URL
You will receive the authorization code and also the secure identifier in the specified return URL:
Remember to check the value to make sure that the response belongs to a request initiated by your application!
Use of same redirect URI
Remember to send as redirect_uri the same URL you set when creating your application!
Validation of URLs to receive notifications
First validate the origin to know that you are receiving notifications only from Mercado Libre and then keep in mind to check the URLs when receiving notifications to make sure that the resources that your application is going to consult are valid.
Send access token by header
To reinforce the security of your application we will allow you to send the access token by header instead of by query param every time you make an API call.
The access token will be sent in the Authorization header as follows:
Authorization: Bearer APP_USR-12345678-031820-X-12345678
For example, via curl the GET to the /users/me resource would be as follows:
curl -H ‘Authorization: Bearer APP_USR-12345678-031820-X-12345678’ \ https://api.mercadolibre.com/users/me
Access token on all requests
In every call you make to the Mercado Libre API, remember to add the access token in all public and private resources.