eBay API OAuth Scope issue "The requested scope is invalid, unknown, malformed, or exceeds the scope granted to the client"

Question

I have been experimenting with the sandbox and production eBay API. I managed to get the sandbox API to work but only if the scope list is empty. If I add the scopes, it returns an error message The requested scope is invalid, unknown, malformed, or exceeds the scope granted to the client. I am trying to understand why this error is occurring and how I can alter scopes.

Here is a successful access token returned for the sandbox api. Notice how the scopes parameter is unchecked and not sent in the request body. The scope list is not specified but it still works and returns an access token. Why is this? Wouldn't it need scopes?

When I enable the scopes, I receive the error

The requested scope is invalid, unknown, malformed, or exceeds the scope granted to the client

Let's go through an example:

I want to use a "Client Credentials Grant Type" and not an "Authorization Code Grant". Be aware that a client credential does not require user authorization since it is meant for application use only. Therefore, this post does not apply to the question.

Here is a client credential scope that my application keyset has access to.

Here I create and send the request with the "https://api.ebay.com/oauth/api_scope" scope. I have URL encoded the scope per the documentation.

Here I create and send the request in postman with no scope specified. An access code is successfully returned.

Why does the access code request fail if a scope is specified? Do I not need to specify scopes beacuse I see this in the documentation....

How do I know if an endpoint falls under an "ebay call" and doesn't require a scope? ....or does it require a scope?

Answer 1

Why your request succeeds with no scopes

Take a look at this section on the bay api site.

It says:

"Scopes and refresh tokens
When creating a User access token, you must supply a list of scopes in your consent request. (See Getting the list of scopes assigned to your application.) For more details, see The authorization code grant flow.

When requesting a refresh token, you can either:

include an optional scope parameter to supply a list of scopes; or

include no scope parameter and default to the set of scopes included in the consent request"

I believe when you send a request with no scopes, it defaults to another list of scopes and that's why your request succeeds with no scopes.

Why your request fails

One the same page in this section: it says: "The request you use to generate the new token must include a list of scopes that allows access to all the methods you plan to call with the token."

I can't see all your scopes in your example but my guess is you are sending your request without all of the scopes you need for your application and, if you send a request with anything less than all scopes, it will reject your request.

How to check the needed scopes for your token request

On that page there is this section that covers seeing the all scopes you need for a request

If you follow the instructions you should be able to see an example request and see what kind of scopes you have assigned to your application.

OAuth can be tricky but it looks like you're on the right path! Sometimes stepping away from it helps too but I think you're on the right path and hope this helps!