Store Authorization Workflow

Congratulations on getting started with the TCGplayer API! Now that you have a basic understanding of our various endpoints, let's figure out how a store can grant your application access to their prices and inventory information.

Reminder: Only the PUBLIC_KEY and PRIVATE_KEY are required; the ACCESS_TOKEN is optional. The ACCESS_TOKEN represents the contract between an application and a store. Using all three keys will return a BEARER_TOKEN that will allow your application to access the contracted store's information.

You should store the BEARER_TOKEN somewhere safe, as it has access to the store's pricing and inventory information (including the ability to modify those values).

Getting Connected

Getting a store connected to your application is a fairly straightforward process:

  • Present the user with a "Connect to TCGplayer" button. This is traditionally wrapped in a marketing page for your application. Show what your application does and what they're about to authorize your application to do.

  • The button will send the store to:{PublicKey}. Your "PublicKey" is the public API key that was provided to you during the sign-up process.

  • The store will log into their account and see a description about your application (which you provided during the registration process).

  • The store will then "Authorize" your application and receive a 6-digit "Authorization Code" (Alphanumeric), which they will copy/paste into an input field on your page. Note: The code has a 1-hour TTL before it is no longer valid.

  • Once you have received the Authorization Code from the store, make a POST to{code}. This will return the ACCESS_TOKEN (Field: "AuthorizationKey") that represents your application's contract with the store. Save the ACCESS_TOKEN and associate it with the store.

  • At this point, you will need to request a new Bearer Token than one you have previously authenticated with. This process is outlined in:
    The X-Tcg-Access-Token header is the Access_Token that you received in the previous step.

  • It's a good idea to call this endpoint to get the identity of the TCGplayer Store: Do this while using the BEARER_TOKEN generated using the ACCESS_TOKEN and it will return the store's "DisplayName" and "SellerKey".