Authentication Management
Authentication validates and verifies that a user is legitimate to the system and determines the level of access. Walmart API systems require each user to be authenticated before making API requests.
An access token represents authentication. This string value represents your access and authorization level for making the API request. For security reasons, each access token has a limited lifespan and is no longer valid after it expires. A new access token must then be generated. Access tokens can be generated as needed and as frequently as before each request, although the best practice is to use one until it is no longer valid.
Access tokens use Open Authorization (OAuth 2.0) for token-based authentication. Use the following to create an access token.
Token-Based Authentication
Generating an access token uses the Create an Access Token request (POST /token). It first requires an authentication value. The authentication value is a generated value. It is created by using the API keys client ID and client secret. These API keys were created at the time your account or company was created. The client secret is to be treated and protected as if it were a password. The two values are combined into a single encoded value. Combining and encoding these values provide additional security, especially with unsecured networks, such as those typically used with wireless applications.
The authentication value only has to be encoded once and can be reused afterward. It is a secured value and can be shared among users. It can even be included in an app as an enum value for convenient reuse in API requests.
You can obtain API keys in one of two ways: Using Existing API Keys or Creating new API Keys.
Using Existing API Keys
If you're using an existing or company account, you can get these values from your system administrator or development management. Your API keys can look different but will typically look like this:
Client ID: db7fdea5-013b-41fe-8960-4chf11196673
Client Secret: DehsAyrzXZK8bARud70Ou…8Sdm0HpijhQEFqOj4dUBXCd-2SxAaLg6C6XokjQMu8cGZvx3CxMdqiQ
The client ID is the public key of the two values. This can be shared among other users.
The client secret is the private key of the two values. Do not share it with others; treat it as a sensitive password.
Creating the API Keys
If there are no existing API keys, such as if you're using the account for the first time, you will need to create this API key pair. This one-time event is typically completed when your or your company's account is first created. To create these keys:
- Sign in to the Developer Portal. For example, this can be Developer Portal. Check with your system administrator or development management for the exact URL.
- Select My Account.
- Select 1P Supplier.
- Enter your sign-in account with your email and password.
- Create the client ID and client secret values from the API keys page.
Generating a Base 64 Encoded Authorization Value
The authorization value can be generated after getting the client ID and client secret values. To generate this value, encode the client ID and client secret values in Base 64 with the default values of UTF-8 character sets and Unix newline separators. Any Base 64 encoder can be used, including one generated programmatically through a programming language or one generated through a website. However, use a public website carefully, as the client secret needs to be protected and treated as a password.
Use the format: <client ID>:<client secret>
Example combined: db7f6eb5-01hb:DehsbzdUBXCd
For example, the following snippet shows one way to generate the encoding by using Python:
string_to_encode = "db7fdea5-013b:DehsbzdUBXCd"
bytes_to_encode = string_to_encode.encode('utf-8')
encoded_bytes = base64.b64encode(bytes_to_encode)
The result will be a string. For example: DE2Yi00MWZlLTg5NjAtNGTk2YNlFNdThjR1p2eDND
This authorization value will not change for the tenant unless the client ID or the client secret changes, which is typically uncommon. It is also a secure value; it does not expire and can be used in all related applications. The authorization value can even be hardcoded as an enum value to make requests more convenient.
Generating an Access Token
After generating the authentication value, the access token can now be created. Use Create an Access Token request (POST /token). For more information, refer to Create Access Token API.
Header Parameters
| Name | Description | Required | Example |
|---|---|---|---|
| Authorization | Specifies the authorization value. Use the format: Basic Use the base 64 encoded authorization value. See the Generating a Base 64 Encoded Authorization Value section earlier. | Yes | Basic 4d7dea5a-0f4a-4889-a7ba:aZb135mnS098aZb135mnS098aZb135mnS098 |
| WM_CONSUMER.CHANNEL.TYPE | Specifies an identifier that tracks the consumer request by channel. Use the consumer channel type received during onboarding. Contact your system administrator or development management for this value. | No | 0f3e4dd4-0514-4346-b39d-… |
| WM_QOS.CORRELATION_ID | Specifies a tracking identifier for the API call. This is used to track and debug issues. Any value can be used. | Yes | 12s4hfvgtr |
| WM_SEC.ACCESS_TOKEN | Specifies the access token retrieved in the Create Access Token request. | No | eyJraWQiOiIzZjVhYTFmNS1hYWE5LTQzM… |
| Accept | Specifies the returned data format in the response. Valid values are: **application/xml application/json** | Yes | application/json application/xml |
| Content-Type | Specifies the content type. | Yes | Can be null. |
Request Body
| Name | Description | Required | Example |
|---|---|---|---|
| grant_type | Specifies the literal client_credentials. | Yes | client_credentials |
Updated about 19 hours ago