Guides
My Account

Authentication

This article provides troubleshooting guidance for authentication and authorization issues.

How do I retrieve my API keys?

To retrieve your API keys, log in to your Walmart Developer account, go to the My Account page, and select API Keys under the Account section.

I am unable to retrieve my API keys. What should I do?

If you are unable to retrieve your API keys, please contact Walmart's Developer Support team at [email protected] for assistance.

How do I authenticate with Walmart Marketplace APIs?

Use OAuth 2.0 client-credentials to obtain a short-lived access token, then send it on every request. You can use the following sample request: 

curl --request POST \ --url https://marketplace.walmartapis.com/v3/token \ --header 'Authorization: Basic eW91cl9pZDp5b3VyX3NlY3JldA==' \ --header 'Accept: application/json' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data 'grant_type=client_credentials'

For more details on authentication and how to start integrating Walmart Marketplace APIs, refer to Get an access token using Token API

How do I generate or refresh an access token?

When the 15 minute access token nears expiry, you can refresh the access token using the refresh token. An access token expires after a certain interval, so you will have to refresh a user's access token. You could use refresh token, obtained from the token API call using authorization code grant type, to get a new access token. For detailed instructions, refer to Refresh access token.

What if I'm getting authentication failures?

Walmart Marketplace uses OAuth 2.0. Remove legacy signature headers and send a valid access token on each call.

  • Remove: WM_SEC.TIMESTAMP, WM_SEC.AUTH_SIGNATURE, WM_CONSUMER.ID
  • Add: WM_SEC.ACCESS_TOKEN: <access token>

Common 401 causes and fixes:

  • Token missing or expired. Refresh and resend.
  • Insufficient scopes. Grant the app the required permissions and retry.
  • Token present but placed in the wrong header. Use WM_SEC.ACCESS_TOKEN exactly.

Why am I getting invalid token or unauthorized errors?

  • 401 (invalid/expired) - The access token is missing, malformed, expired, or was created for a different environment. Renew your access token; confirm you’re using the right environment keys.
  • 403 (forbidden) - The token is valid, but your app/account doesn’t have permission (scope/role) to call that endpoint or access that resource. Check app scopes/roles.
  • Mixed environments - A sandbox token is being used with a production URL (or the reverse). Tokens and base URLs must come from the same environment.

Updated 7 days ago