Zoekopdracht
Afsluiten
  1. Startpagina
  2. Forum
  3. API users
  4. API Authentification nonger possibel
Forumslijst Berichten lijst

API Authentification nonger possibel

  • klaus_schneider
    klaus_schneider 100% (86026x)
    PRO advanced

    293 berichten

    Duitsland

    Hello, the login has stopped working since last night. Were any changes made? Were any API keys invalidated? Regards
  • klaus_schneider
    klaus_schneider 100% (86026x)
    PRO advanced

    293 berichten

    Duitsland

    Update: Since about 11 a.m. this morning, the authentication process is no longer returning a token, but instead the error message "The API key is required!". Regards
  • @fred
    Beheerder
    @fred
    free

    167 berichten

    België

    Update: Since about 11 a.m. this morning, the authentication process is no longer returning a token, but instead the error message "The API key is required!". Regards
    • Aangemaakt 26 mrt 2026 op 06:59
    • #2009933
    Hi klaus_schneider,

    The API used to be very laxist with the data passed in a request. When a data was needed on an API call, the system retrieved the parameter by checking, in order, the GET parameters and then the POST parameters.
    It was considered a bad practice and it could potentially lead to security issues.

    Since this morning, we reinforced the way requests data are read on our side to be consistent with the API method. If the call is a POST, the data has to be passed in the POST data, and not in the url.

    For example, in your case, calling this url won't work anymore:
    POST /seller?apikey=xxx

    The correct way to authenticate can be found in the github documentation: Link (https)

    Another example with curl:
    curl --location ' Link (https) ' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'apikey=xxxx'

    Fred
  • Servitel
    Servitel
    free

    472 berichten

    Zwitserland

    Hi klaus_schneider,

    The API used to be very laxist with the data passed in a request. When a data was needed on an API call, the system retrieved the parameter by checking, in order, the GET parameters and then the POST parameters.
    It was considered a bad practice and it could potentially lead to security issues.

    Since this morning, we reinforced the way requests data are read on our side to be consistent with the API method. If the call is a POST, the data has to be passed in the POST data, and not in the url.

    For example, in your case, calling this url won't work anymore:
    POST /seller?apikey=xxx

    The correct way to authenticate can be found in the github documentation: Link (https)

    Another example with curl:
    curl --location ' Link (https) ' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'apikey=xxxx'

    Fred
    • Aangemaakt 26 mrt 2026 op 07:17
    • #2009945
    A good idea is to ADVICE in advance for modifications. We have passed the afternoon changing all calls :angryfire:
  • my_postales
    my_postales 100% (70843x)
    PRO premium

    53 berichten

    Duitsland

    Dear delcampe API team

    you changed the API-AUTH-METHOD without informing the respective users in advance ?
    Why are you doing this ? It's clearly maximum inappropriate !

    Overthink you action/communication method pls !
  • uniquehorn
    uniquehorn 100% (28x)

    38 berichten

    Zweden

    Dear delcampe API team

    you changed the API-AUTH-METHOD without informing the respective users in advance ?
    Why are you doing this ? It's clearly maximum inappropriate !

    Overthink you action/communication method pls !
    • Aangemaakt 27 mrt 2026 op 12:56
    • #2010701
    The correct word in English is "reconsider" - Delcampe should reconsider their methods.

    "Overthink" is something quite different.
  • my_postales
    my_postales 100% (70843x)
    PRO premium

    53 berichten

    Duitsland

    The correct word in English is "reconsider" - Delcampe should reconsider their methods.

    "Overthink" is something quite different.
    • Aangemaakt 27 mrt 2026 op 14:43
    • #2010791
    @ uniquehorn

    you are completely right ! thnx
  • @fred
    Beheerder
    @fred
    free

    167 berichten

    België

    Hi everyone,

    We're sorry about this update, we didn't think it would have this much impact on your codebase. This was a necessary change for security reason but we could have handled it better.

    In the future we will be more careful when doing this king of changes in the API and we will try to inform you in advance to prevent this situation.

    Fred
  • klaus_schneider
    klaus_schneider 100% (86026x)
    PRO advanced

    293 berichten

    Duitsland

    Hello,
    thank you for this admission, especially since it's not the first time something like this has occurred. We were able to quickly fix the problem on our end because it only required adjusting a central function, but it seems to have been more complex for others.

    I'd also like to take this opportunity to remind you about the open issue with the API between Delcampe and PayPal; see the post from a week ago. This problem is causing dead payments. This cannot continue...
    Best regards
  • ansichtskartenpool
    ansichtskartenpool 100% (77192x)
    PRO premium

    42 berichten

    Duitsland

    Did you change something again by "accident"? Since yesterday I've been getting the message "undefined method `authority' for #". Therefore, no token- nothing at all.
  • @fred
    Beheerder
    @fred
    free

    167 berichten

    België

    Did you change something again by "accident"? Since yesterday I've been getting the message "undefined method `authority' for #". Therefore, no token- nothing at all.
    • Aangemaakt 15 apr 2026 op 09:38
    • #2017022
    Hi ansichtskartenpool,

    This message is weird and doesn't correspond to anything in our system. When did you get the error? When trying to get a token with the "POST /seller" endpoint?

    Fred
  • ansichtskartenpool
    ansichtskartenpool 100% (77192x)
    PRO premium

    42 berichten

    Duitsland

    Hi ansichtskartenpool,

    This message is weird and doesn't correspond to anything in our system. When did you get the error? When trying to get a token with the "POST /seller" endpoint?

    Fred
    • Aangemaakt 16 apr 2026 op 04:41
    • #2017250
    yes
  • ansichtskartenpool
    ansichtskartenpool 100% (77192x)
    PRO premium

    42 berichten

    Duitsland

    But I just noticed that the message is coming from the REST client I'm using, which means it probably has nothing to do with you. I'll investigate further. It's just strange since there haven't been any changes.
  • fnwbr
    fnwbr 100% (1x)

    40 berichten

    Duitsland

    Hi klaus_schneider,

    The API used to be very laxist with the data passed in a request. When a data was needed on an API call, the system retrieved the parameter by checking, in order, the GET parameters and then the POST parameters.
    It was considered a bad practice and it could potentially lead to security issues.

    Since this morning, we reinforced the way requests data are read on our side to be consistent with the API method. If the call is a POST, the data has to be passed in the POST data, and not in the url.

    For example, in your case, calling this url won't work anymore:
    POST /seller?apikey=xxx

    The correct way to authenticate can be found in the github documentation: Link (https)

    Another example with curl:
    curl --location ' Link (https) ' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --data-urlencode 'apikey=xxxx'

    Fred
    • Aangemaakt 26 mrt 2026 op 07:17
    • #2009945
    Any chance that this change did not make it to the `/item/bulk` POST endpoint?

    We're seeing "401 Unauthorized" when trying to POST to `/item/bulk` and sending the token as part of the POST data, and not in the URL.
  • fnwbr
    fnwbr 100% (1x)

    40 berichten

    Duitsland

    Can confirm, that after sending the token as part of the URL it's working again.

    This works:
    POST /item/bulk/?token=xxx

    Sending the token as part of the POST data does **not** work for this endpoint `/item/bulk` in particular.

    Honestly, I can only repeat what other people have said on this thread already: it's disappointing and saddening to see, with how little care and attention to detail these changes are being deployed to your production systems.
  • ansichtskartenpool
    ansichtskartenpool 100% (77192x)
    PRO premium

    42 berichten

    Duitsland

    That should be the explanation then for Link (https)
  • @fred
    Beheerder
    @fred
    free

    167 berichten

    België

    Can confirm, that after sending the token as part of the URL it's working again.

    This works:
    POST /item/bulk/?token=xxx

    Sending the token as part of the POST data does **not** work for this endpoint `/item/bulk` in particular.

    Honestly, I can only repeat what other people have said on this thread already: it's disappointing and saddening to see, with how little care and attention to detail these changes are being deployed to your production systems.
    • Aangemaakt 17 apr 2026 op 10:30
    • #2017703
    Hi fnwbr,

    The token has to be in the url, as stated in the documentation: Link (https)

    I will change the code to allow it to be either in the url or in the POST data, to be consistent with the http method used

    Fred