API Integration with Token
In this article:
Token-based integration is a method for connecting third-party services or your own systems to the seller portal. A token is a digital key used to authenticate and authorise API requests.
When to use token integration
Use token integration when you need to:
- Automate order processing or inventory updates from your own software
- Connect a third-party ERP, WMS, or accounting system to the portal
- Build custom dashboards or reporting tools using live portal data
- Enable a partner service to act on your behalf within defined scopes
Tip: For information about what the API is and why sellers need it, read the separate API overview article.
How it works
The integration flow consists of three stages:
- Token generation — you create a token in the portal with the required scopes.
- Token delivery — you pass the token to your application or third-party service.
- API calls — the application uses the token as a Bearer credential in the HTTP Authorization header.
| Step | Actor | Action | Result |
|---|---|---|---|
| 1 | Seller | Creates token in portal settings | Token string issued |
| 2 | Seller | Copies token to application config | App authenticated |
| 3 | Application | Sends API request with Authorization header | Data returned or action performed |
| 4 | Portal | Validates token and logs request | Audit trail created |
Choosing a token type
The portal offers four token types. Choose based on your use case and required level of access.
Personal token
Tied to your individual seller account. Grants full access to all API endpoints your account is authorised for. Use this for personal scripts or testing only — never share it.
Important: If your personal token is compromised, revoke it immediately from the Settings → API Tokens page. All active sessions using the token will be terminated.
Service token
Scoped to specific API groups (e.g. Orders only, Products only). Ideal for sharing with third-party integrators — they only get access to what they need, nothing more.
Note: Service tokens do not expire automatically. Set a manual expiration date for any token shared with an external provider, and rotate tokens every 90 days as a security best practice.
Security rules
- Never hardcode tokens in source code — use environment variables or a secrets manager.
- Rotate tokens every 90 days or immediately after a suspected compromise.
- Grant only the minimum necessary scopes for each token.
- Monitor the API access log under Settings → API Logs for unexpected activity.
- Do not transmit tokens over unencrypted (HTTP) connections.
Troubleshooting
| Error | Code | Cause | Resolution |
|---|---|---|---|
| Unauthorized | 401 | Token missing or malformed | Check Authorization header format |
| Forbidden | 403 | Token lacks required scope | Regenerate token with correct scopes |
| Token expired | 401 | Token past expiration date | Generate a new token |
| Rate limit exceeded | 429 | Too many requests per minute | Implement exponential backoff |
See also
Recommended articles
- UI Widgets & ComponentsAccordion, tabs, modals, and more
- Help Center HomeBrowse all categories and articles
- Getting StartedSet up your account and learn the basics