Authentication management

Walmart APIs require each user to be authenticated before making API requests. Authentication verifies that a user is authorized to access a system, and determines the user's level of access.

An access token is a string that authenticates a user and specifies the user's access and authorization level for making API requests. The Walmart 1P Supplier APIs use OAuth 2.0 bearer tokens for token-based authentication.

For security reasons, each access token has a limited lifespan, and is invalid after expiry. You can generate access tokens as needed, and as frequently as before each request, but it is best practice to use an existing access token until it is no longer valid.

Use the Create an access token API to create an access token.

Token-based authentication

Before you generate an access token, you must generate a Base64-encoded authorization value using the Client ID and Client Secret provided in your API keys. The two keys are combined into a single encoded string.

You only need to encode your authorization value once. It is a secured value that you can share among users. You can even include it in an app as an enumerated value (enum) for convenient reuse in API requests.

Obtaining your existing API keys

If you are using an existing account, you can get these values from your system administrator or development management. Your API keys will typically look like this:

Client ID: db7fdea5-013b-41fe-8960-4chf11196673
Client Secret: DehsAyrzXZK8bARud70Ou…8Sdm0HpijhQEFqOj4dUBXCd-2SxAaLg6C6XokjQMu8cGZvx3CxMdqiQ

The Client ID is the public key. You can share this value with other users.

The Client Secret is your private key. Do not share it with others; treat it as a sensitive password.

Creating new API keys

If you do not yet have API keys, create them using the following procedure:

  1. Sign in to the Developer Portal.
    Check with your system administrator or development management for your exact URL.
  2. Select My Account.
  3. Select 1P Supplier.
  4. Sign in to your account with your email and password.
  5. Create the Client ID and Client Secret values on the API keys page.

Generating a Base64-encoded authorization value

To generate your authorization value, encode your Client ID and Client Secret values in Base64 using the UTF-8 character set and Unix newline separators. Any Base64 encoder may be used, such as a programmatic encoder or a Base64 encoder web site.

Note:
Be cautious when using Base64 encoding websites, as your client secret needs to be protected and treated as a password.

Use the format: <Client ID>:<Client secret>

Example combined: db7f6eb5-01hb:DehsbzdUBXCd

The following snippet shows one way to encode your authorization value using Python:

string_to_encode = "db7fdea5-013b:DehsbzdUBXCd"
bytes_to_encode = string_to_encode.encode('utf-8')
encoded_bytes = base64.b64encode(bytes_to_encode)

The resulting encoded value is a string, such as DE2Yi00MWZlLTg5NjAtNGTk2YNlFNdThjR1p2eDND

Generating an access token

After you generate the authentication value, you can send a POST request to the v3/token endpoint to create your access token.

For more information, see the Create an access token API reference page.

Header parameters


NameDescriptionRequiredExample
AuthorizationSpecifies the authorization value in the format
Basic <authorizationvalue>.
YesBasic DE2Yi00MWZlLTg5NjAtNGTk2YNlFNdThjR1p2eDND
WM_CONSUMER.CHANNEL.TYPESpecifies an identifier that tracks the consumer request by channel.No0f3e4dd4-0514-4346-b39d-…
WM_QOS.CORRELATION_IDSpecifies an identifier for each API call that you can use to track and debug issues.Yes12s4hfvgtr
WM_SEC.ACCESS_TOKENSpecifies the access token retrieved in the create access token request.NoeyJraWQiOiIzZjVhYTFmNS1hYWE5LTQzM…
AcceptSpecifies the data format returned in the response.

Valid values are: **application/xml application/json**
Yesapplication/json
application/xml
Content-TypeSpecifies the content type.YesCan be null.

Request Body

NameDescriptionRequiredExample
grant_typeSpecifies the OAuth 2.0 client_credentials grant type.Yesclient_credentials