Auction Software FAQ: eBay Passwords and Third-Party Services
By Andy Geldman
In this column, I will answer some common questions about software for online auction users. Some of these questions are ones I have been frequently asked, while others address areas that are not well understood, or have myths to dispel. If you have a question you would like to see answered here please contact me at the email address below.
Today's question is "Do third-party services need my eBay password?"
Software and websites that use the official eBay API do not require your eBay password. Instead, they use a system eBay call Auth&Auth ("Authorization & Authentication"), which allows them to access eBay on your behalf.
The first step of the Auth&Auth process usually occurs during registration with the service, when you will be directed to eBay and give your permission for them to act on your behalf. Note that you do not give your password directly to the service here, but simply log into the normal eBay site - which you can verify by checking the URL in the address bar, or by using the eBay Toolbar.
eBay provides the third-party service with a "token" (which looks like a piece of gibberish text). When they access eBay for you they use this token instead of your password to prove that they have your permission. The token expires after a period of time, typically 18 months, when you give your approval again and the token is renewed.
You can check which services currently have your permission on the eBay site: in My eBay click on "Preferences" under the Account heading, scroll down to "Third-party authorizations" near the bottom of the page, and click "Show" to expand the section. Here you will see any services that you have already given your authorization to. It is not unusual to see the same provider listed more than once, because authorization is on a per-tool, not a per-company basis.
To revoke an authorization, check the appropriate box then click "Apply", but be careful that you are not removing permission for a service that you are currently using. If you do revoke an authorization by accident, visit the third-party service's website where you should be able to set it up afresh.
There are many services that do not use the eBay API - see "What is the eBay API?" in AuctionBytes Update #150 for more information. These services often do require your password, so carry a greater risk of your account being compromised if the provider is hacked. To reduce the risk, choose a secure eBay password that you do not use on other sites, and only give it to a third party if you have complete confidence in them and their site's security.
What is the eBay API?
Auth&Auth Technical Documentation:
Protecting Your Password:
About the author:
Andy Geldman is a freelance ecommerce and IT consultant, and webmaster of Web Retailer, a guide to eBay software and services Andy lives in London, England and can be emailed at andy.geldman @ salubritas.com
You may quote up to 50 words of any article on the condition that you attribute the article to EcommerceBytes.com and either link to the original article or to www.EcommerceBytes.com.
All other use is prohibited.