Each channel uses its provider's OAuth (or token-exchange) flow. The Upstream module handles the redirect dance and stores the resulting credentials encrypted; Sales Channel reads those credentials when it makes API calls.
Connection flow
- 1
Begin the OAuth handshake
Call the Upstream auth-url endpoint for the vendor. This returns a URL to redirect the user to.
GET/connect/:vendor/auth-urlJWTcurl "https://appengine.appmint.io/connect/shopify/auth-url?shop=acme-store.myshopify.com" \ -H "Authorization: Bearer $JWT" -H "orgid: $ORG"Response:
{ "authUrl": "https://acme-store.myshopify.com/admin/oauth/authorize?..." } - 2
User authorizes
Redirect the user to
authUrl. They sign in to the channel, approve scopes, and the channel redirects back to the Upstream callback.GET/connect/:vendor/callbackNo authThe callback exchanges the code for an access token and persists the credentials under the vendor connection.
- 3
Enable the channel in Sales Channel
With credentials stored, enable the channel for use. This wires the provider into the Sales Channel registry and validates the connection.
POST/sales-channel/channels/:channelId/enableJWTcurl -X POST https://appengine.appmint.io/sales-channel/channels/shopify/enable \ -H "Authorization: Bearer $JWT" -H "orgid: $ORG" \ -H "Content-Type: application/json" \ -d '{ "shop": "acme-store.myshopify.com", "syncInventory": true, "syncOrders": true, "defaultLocationId": "gid://shopify/Location/12345" }'channelIdis one of:amazon,ebay,walmart,etsy,shopify,woocommerce,google,bing,facebook,tiktok,pinterest. - 4
Verify
GET/sales-channel/channels/:channelId/statusJWTcurl https://appengine.appmint.io/sales-channel/channels/shopify/status \ -H "Authorization: Bearer $JWT" -H "orgid: $ORG"Returns connection health, last sync time, and any auth errors. A red status here means the credentials are missing or expired.
Per-channel auth notes
| Channel | Auth model |
|---|---|
| Amazon | LWA OAuth + SP-API credentials. Requires seller registration and SP-API app approval. Region-specific endpoints (NA, EU, FE). Uses refresh tokens. |
| eBay | OAuth 2.0. Requires an eBay Developer Program app. Production tokens require approval; sandbox tokens are immediate. |
| Shopify | OAuth 2.0 against <shop>.myshopify.com. Requires a Shopify Partner app or custom-app setup. Pass shop in the auth-url query. |
| WooCommerce | REST API key auth (consumer key + secret) — not OAuth. The user creates keys in WP-Admin and pastes them into the connect form. |
| Walmart | Walmart Marketplace API uses signed requests with WM_CONSUMER.ID and a private RSA key. No standard OAuth. |
| Etsy | OAuth 2.0 with PKCE. Requires Etsy Developer app. |
| Google Merchant | OAuth 2.0 against Google. Requires Merchant Center account ID. |
| TikTok Shop | OAuth 2.0. Requires TikTok Shop Partner app and merchant approval. |
| Facebook/Instagram Shop | OAuth via Meta Business. Requires a connected Commerce Manager account. |
Disabling and rotating credentials
/sales-channel/channels/:channelId/disableJWTDisabling removes the channel from the active sync set but keeps stored credentials. Re-enabling does not require re-OAuth unless the token expired.
For credential rotation, re-run the auth-url → callback flow. The new token replaces the old one under the same vendor connection.
Most channels issue access tokens with expiries of 1 hour to 90 days, plus a long-lived refresh token. The Upstream module refreshes automatically on 401 responses, but a refresh-token revocation requires a fresh OAuth round-trip. Watch the channel status endpoint.
Connection storage
Credentials live in the vendor_connection collection under the org. They are AES-encrypted at rest and decrypted in memory only when a provider needs to make a call. Never read or log raw tokens — all logging in the Sales Channel module redacts auth headers.