Skip to content

Authentication

Our API supports two modes of authentication, each designed for different use cases:

  • API Keys. For direct partners building an integration to manage their own shop(s).
  • OAuth 2.0. For third-party applications (such as cross-listing tools) that will be used by multiple sellers.

Info

API Keys and OAuth 2.0 can't be configured by you directly, instead you will need to contact us first. If you are interested, please contact us at [email protected], and we'll get back to you with the next steps.

API Keys

These API Keys are used to authenticate requests made to the Depop API. They are static, long-lived bearer tokens for server-to-server integrations. Each shop has its own unique API key.

All requests you make will need to include an Authorization header with the API key as a bearer token, for example: 

Authorization: Bearer pak_08f6bce70421de2daeeb72de6f94af8de2571ca1

OAuth 2.0

We use the industry-standard OAuth 2.0 Authorization Code Flow with PKCE.

This flow allows a Depop seller to grant your application specific permissions (or "scopes") to access their account data without ever sharing their password with you.

Quick OAuth 2.0 Flow summary

The OAuth 2.0 flow is a three-step process:

  1. Request Authorization: Your application redirects a seller to a Depop authorization page.

  2. User Grants Consent: The seller logs in to Depop and approves the permissions (scopes) your application is requesting.

  3. Exchange Code for Token: Depop redirects the seller back to your application with a temporary authorization_code. Your server then securely exchanges this code for a short-lived Access Token and a long-lived Refresh Token.

Scopes and Permissions

This flow uses granular permissions to limit what your application can do. For example, you might only request the products_read scope to view a seller's listings.

You can find a full list of available permissions in our OAuth Access Scopes reference.