Lazada Open Platform
Seller authorization introduction
If your application needs to access the business data of Lazada sellers (like product and order information) through Lazada Open Platform, you need to get the authorization from sellers, that is, the “Access Token” required for accessing the sellers’ data. You need to guide the sellers to complete the flow of “using Lazada seller account to log in and authorize the application”. This process uses the international OAuth2.0 standard protocol for user authentication and authorization.
Lazada Open Platform adopts the “Code for token” mode, described as follows.
Service address
| Environment | Service address |
|---|---|
| Central: for all countries (SG/MY/TH/VN/ID/PH) | https://auth.lazada.com/rest |
Authorization steps
The figure below shows the authorization steps:
1. Concatenate authorization URL
Sample link for authorization:
https://auth.lazada.com/oauth/authorize?response_type=code&force_auth=true&redirect_uri=${app call back url}&client_id=${appkey}
Note that the “client_id” and “redirect_uri” should be replaced with the ones of your own application.
The following table lists the parameters and their description.
| Parameter | Required? | Value | Parameter |
|---|---|---|---|
| client_id | Yes | The App Key of your application, assigned by Lazada Open Platform. | |
| redirect_uri | Yes | The callback URL you provided when creating the application. | The “redirect_uri” is used for receiving the code when a seller completes the authorization. It must be the same with the callback URL you provided when creating the application on Lazada Open Platform. |
| response_type | Yes | code | The authorization type, with the value of “code”. |
| force_auth | No | true | Refresh the web browser cookie for a new authorization session. |
| state | No | Customizable, like 1212. | The status of the application; the same for input and response. |
| uuid | No | This field is currently unavailable, please do not use it, otherwise an error will be reported. | |
| country | No | sg,my,th,vn,ph,id,cb | Specify the options of countries that are available in the “Country” drop-down list. For example, specifying “country=sg” means that only “Singapore” is available for choose; specifying “cb” means that the authorization is for “Crossborder” sellers only. Multiple values can be separated by comma. By default, all countries are listed. |
2. Guide sellers to authorize
Guide a seller to open the above authorization URL through the web browser. The following window with the login panel is displayed. The permissions to be granted to the application after the authorization are listed on the left. The seller selects the country, enters seller account and password, and clicks the “Sign in And Authorize” button to complete the authorization of the application.
Note:
For Cross Border sellers, you only need to authorize once for all the 6 ventures. Take the following steps to complete the authorization:
1. Select “Crossborder” from the Country dropdown list.
2. Authorize using the seller account and password for the MY site.
3. Use the code returned to the callback URL to get the access token. This access token can be used for all 6 ventures.
See the screen capture below.
3. Retrieve authorization code
After the seller completes the authorization, Lazada Open Platform will return the authorization code to the callback URL address. Your application can retrieve the code and use it to get the Access Token. The sample authorization code is shown below.
Note: Note: The authorization code is valid for half an hour and can only be used once. Once it expires, it needs to be re-authorized
4. Get the access_token
Use the /auth/token/create API to get the Access Token (access_token).
Code sample:
LazopClient client = new LazopClient("https://api.lazada.com/rest", "${appkey}", "${app_secret}");
LazopRequest request = new LazopRequest("/auth/token/create");
request.addApiParam("code", "0_TryzT8Vd9T1pwS7VWZ2qlMOS5");
LazopResponse response = client.execute(request);
System.out.println(response.getBody());
5. Save the token
The access token will expire in a specific period (expires_in). Before it expires, the seller does not need to authorize the application again. You need to save the latest token properly.
6. Sample of the token
Notes:
1. The “access_token” and “refresh_token” in this sample are for reference only.
2. For cross border sellers, the returned access token can be used for multiple sites. Therefore, the “country_user_info” section contains multiple country values.
{
"access_token": "50000601c30atpedfgu3LVvik87Ixlsvle3mSoB7701ceb156fPunYZ43GBg",
"refresh_token": "500016000300bwa2WteaQyfwBMnPxurcA0mXGhQdTt18356663CfcDTYpWoi",
"country": "cb",
"refresh_expires_in": 259200,
"account_platform": "seller_center",
"expires_in": 259200,
"account": "xxx@126.com"
"country_user_info":
[
{
"country":"sg",
"seller_id": "1001",
"user_id": 10101
},
{
"country":"my",
"seller_id": "2001",
"user_id": 20101
}
]
}
The following table lists the parameters in the token and their description.
|
Key
|
Type
|
Sample
|
Description
|
|
access_token
|
string
|
50000601c30atpedfgu3LVvik87Ixlsvle3mSoB7701ceb156fPunYZ43GBg
|
Access token.
|
|
refresh_token
|
string
|
500016000300bwa2WteaQyfwBMnPxurcA0mXGhQdTt18356663CfcDTYpWoi
|
Refresh token, used to refresh the token when “refresh_expires_in”>0.
|
|
expires_in
|
number
|
25920 (expires in 25920 seconds)
|
The expiring time of the access token, in seconds. For APPs in "Test" status, the value is 7 days. For APPs in "Online" status, the value is 30 days.
|
|
refresh_expires_in
|
number
|
25920 (expires in 25920 seconds)
|
The expiring time of the refresh token. For APPs in "Test" status, the value is 30 days. For APPs in "Online" status, the value is 180 days.
|
|
country
|
string
|
sg
|
The country ID (sg: Singapore, my: Malaysia, ph: Philippines, th: Thailand, id: Indonesia, vn: Vietnam).
|
|
account_id
|
string
|
706388888
|
User ID, which can be ignored when “account_platform” = “seller_center”.
|
|
account
|
string
|
User account.
|
|
|
account_platform
|
string
|
seller_center
|
User platform, supporting multiple platforms.
|
|
country_user_info
|
json
|
[
{
"country":"sg",
"seller_id": "1001",
"user_id": 10101
},
{
"country":"my",
"seller_id": "2001",
"user_id": 20101
}
] |
Matching with the parent field “country”.
if(country != 'cb'){
for(userInfo user_info : country_user_info){
if(user_info.country==country){
get user_info.user_id;
get user_info.seller_id;
break;
}
}
} elseif(country != 'cb'){
for(userInfo user_info : country_user_info){
get user_info.user_id;
get user_info.seller_id;
}
} |
Refresh authorization steps
1. Use “/auth/token/refresh” to refresh the access token
See the following code sample.
LazopClient client = new LazopClient("https://api.lazada.com/rest", "${appkey}", "${app_secret}");
LazopRequest request = new LazopRequest("/auth/token/refresh");
request.addApiParam("refresh_token", "50000601c30atpedfgu3LVvik87Ixlsvle3mSoB7701ceb156fPunYZ43GBg");
LazopResponse response = client.execute(request);
System.out.println(response.getBody());
The returned data structure by “/auth/token/refresh” is the same with that by getting the access token with authorization code. You will get new “access_token” and “refresh_token”. You must save the latest “refresh_token” for getting the new “access_token”. Note that the duration of the access token will be reset, but the duration of the refresh token will not be reset. After the refresh token expires, sellers need to re-authorize your application to generate new access token and refresh token.
Usage notes
- Sellers do not need to authorize again before the token expires.
- If “refresh_expires_in” = 0, the access token cannot be refreshed. Only when “refresh_expires_in” > 0, you can call the /auth/token/refresh API to refresh the access token.
- If token needs to be refreshed, it is recommended to refresh it 30 minutes before the token expires.
